The US has recently been confronted with a threat actor named ‘Vice Society’, which has been using ransomware and extortion to attack the education sector around the world, with a focus on the United States.

Researchers from Microsoft’s security team released an advisory on Vice Society, which the company has been tracking as DEV-0832, on Tuesday, detailing their findings.

Shifting ransomware payloads over time from BlackCat, QuantumLocker, and Zeppelin, DEV-0832’s latest payload is a Zeppelin variant that includes Vice Society-specific file extensions, such as .v-s0ciety, .v-society, and, most recently, .locked. In several cases, Microsoft assesses that the group did not deploy ransomware and instead possibly performed extortion using only exfiltrated stolen data.


DEV-0832, Focused on the Education Sector

Between July and October 2022, DEV-0832’s most recent opportunistic attacks had a big effect on the education sector. However, the company states that Vice Society has been operating since June of last year and its previous attacks hit a wide range of industries, including local government and retail.

The security researchers have concluded that the gang is financially motivated, as evidenced by its rotating targets, and by the fact that it continues to go after businesses with less robust security, a higher risk of compromise and an eventual ransom payout.

DEV-0832 uses “tactics, strategies, and procedures” that are “similar among other ransomware actors” before it deploys ransomware, according to the advisory.

As explained by Info Security, a few examples are the use of PowerShell scripts combined with repurposed legitimate utilities, the exploitation of publicly reported vulnerabilities to gain initial access and elevate privileges, and the deployment of commodity backdoors like SystemBC.

Ransomware has evolved into a complex threat that’s human-operated, adaptive, and focused on a wider scale, using data extortion as a monetization strategy to become even more impactful in recent years. To find easy entry and privilege escalation points in an environment, these attackers often take advantage of poor credential hygiene and legacy configurations or misconfigurations.


The advisory also offers information about the strategies used in the group’s campaigns. It also contains hunting queries to assist clients in searching their environments for crucial indicators, protection, and assistance against similar assaults.

Info Security also points that this technical article was published weeks after Check Point’s 2022 Mid-Year Report, which revealed a worrying 44% increase in cyberattacks on the global education sector compared to 2021.

If you are interested in learning more about the most dangerous ransomware groups in 2022, check out this list prepared my colleague Antonia.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

2022 Ransomware Statistics & The Biggest Ransomware Attacks

Ransomware Payouts in Review: Highest Payments, Trends & Stats

Most Dangerous Ransomware Groups in 2022 You Should Know About

Vice Society Ransomware Gang Leaks Data Form LAUSD Breach

LAUSD, One of the Largest School Districts in the U.S., Suffers Ransomware Attack

Italian City Palermo Impacted by Cyberattack, Vice Society Ransomware Claims Responsibility

Ransomware Explained. What It Is and How It Works

Leave a Reply

Your email address will not be published. Required fields are marked *