{ "id": "b5a4c582-827d-407d-a660-44335a051cc0", "created_at": "2026-04-06T00:13:19.41119Z", "updated_at": "2026-04-10T13:12:04.038167Z", "deleted_at": null, "sha1_hash": "4123e7809172b1aef9790e49c53d61c26c37a6f2", "title": "Vice Society: Ransomware Gang Disrupted Spar Stores", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 210508, "plain_text": "Vice Society: Ransomware Gang Disrupted Spar Stores\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 19:41:12 UTC\r\nBusiness Continuity Management / Disaster Recovery , Cybercrime , Cybercrime as-a-service\r\nCriminals Dump Data Stolen From Spar Store Operators in England and Isle of Man (euroinfosec) • December 30,\r\n2021    \r\nPhoto: Spar\r\nA ransomware operation called Vice Society has claimed credit for attacks that hit two groups of independently\r\nowned and operated Spar-branded stores earlier this month.\r\nSee Also: How AI Expands Risk Across Enterprise\r\nOn Dec. 6 via Twitter, Spar reported that for some of its U.K. operations, \"there has been an online attack on our\r\nIT systems which is affecting stores' ability to process card payments, meaning that a number of Spar stores are\r\ncurrently closed.\"\r\nNo specific ransomware group was blamed for the attack. But the Vice Society ransomware group on Friday\r\nclaimed credit for the hit via its data leak site, says Israeli threat intelligence firm Kela.\r\nSpecifically, Vice Society says it infected systems at James Hall \u0026 Co., which acts as the primary wholesaler to\r\nmore than 600 Spar stores in the north of England, and Heron and Brearley, owner of Mannin Retail, which\r\nhttps://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225\r\nPage 1 of 3\n\noperates 19 Spar stores on the Isle of Man. The Isle of Man is a self-governing British Crown Dependency located\r\nin the Irish Sea between Great Britain and Northern Ireland.\r\nScreenshot from the Vice Society data leak site (Source: Kela)\r\n\"When browsing through files leaked by Vice Society, Kela saw documents apparently related to Spar operations,\r\nas well as to both companies mentioned in the listing,\" Victoria Kivilevich, director of threat research at Kela, tells\r\nInformation Security Media Group. \"The gang published more than 93,000 files.\"\r\nAttack Aftermath\r\nThe naming of the victims by Vice Society, as well as the dumping of their allegedly stolen data, suggests that\r\nneither business paid a ransom to the attackers.\r\nHeron and Brearley didn't immediately respond to a request for comment. Multiple emails sent to James Hall \u0026\r\nCo., for which the website continues to be offline, were returned as undeliverable.\r\nBritain's National Cyber Security Center on Dec. 10 confirmed that James Hall \u0026 Co. had been attacked.\r\n\"We are aware of an incident affecting some Spar stores serviced by James Hall \u0026 Co. in the North of England\r\nand are working with partners in response,\" an NCSC spokesman said at the time. \"James Hall \u0026 Co. has\r\nconfirmed that it is now bringing affected stores back online.\"\r\nhttps://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225\r\nPage 2 of 3\n\nThe NCSC also urged organizations to follow its ransomware guidance \"help mitigate attacks, their impact and\r\nenable effective recovery.\"\r\nMore Attacks\r\nVice Society first launched its data leak site in May, on which it listed Indianapolis, Indiana-based Eskenazi\r\nHealth, a public health provider. The same month, the group also appeared to have been behind a ransomware\r\nattack against New Zealand's Waikato District Health Board.\r\nSince then, the group has continued to rack up new victims. In the past week, for example, beyond the Spar\r\noperators, the gang has also claimed credit for infecting with ransomware a Brazilian dental company and a\r\nColombian university.\r\nData-Leaking Ransomware Groups Continue\r\nVice Society is just one of a number of active ransomware groups that run data leak sites. In the past 10 days, Kela\r\nsays multiple groups have listed fresh victims on their sites. The groups include Alphv - aka Blackcat,\r\nAvosLocker, AtomSilo, BlackByte, Clop, Conti, 54bb47h, Grief, Hive, LockBit, LV, Quantum, Rook, Snatch and\r\nVice Society.\r\nThe monthly total number of victims being listed on ransomware groups' data leak sites continues to increase.\r\nCybersecurity firm Group-IB has reported that for the 12 months ending on June 30, the number of publicly listed\r\ninitial access offers - compared to the preceding 12-month period - nearly tripled, increasing from 362 to 1,099.\r\nThat trend has been continuing, says Allan Liska, an intelligence analyst at threat intelligence firm Recorded\r\nFuture. In September, he reported that the total number of monthly victims being listed across all ransomware\r\ngroups' data leak sites had hit an all-time high.\r\nBut the number of victims of ransomware groups remains unclear, in part because multiple gangs don't run data\r\nleak sites or attempt to publicly name and shame victims. And of the ones that do, Group-IB estimates that only\r\n13% of such groups' victims ever get listed on a data leak site.\r\nSource: https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225\r\nhttps://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.govinfosecurity.com/vice-society-ransomware-gang-disrupted-spar-stores-a-18225" ], "report_names": [ "vice-society-ransomware-gang-disrupted-spar-stores-a-18225" ], "threat_actors": [ { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "4e453d66-9ecd-47d9-b63a-32fa5450f071", "created_at": "2024-06-19T02:03:08.077075Z", "updated_at": "2026-04-10T02:00:03.830523Z", "deleted_at": null, "main_name": "GOLD LOTUS", "aliases": [ "BlackByte", "Hecamede " ], "source_name": "Secureworks:GOLD LOTUS", "tools": [ "BlackByte", "Cobalt Strike", "ExByte", "Mega", "RDP", "SoftPerfect Network Scanner" ], "source_id": "Secureworks", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "4e7fd07d-fcc5-459b-b678-45a7d9cda751", "created_at": "2025-04-23T02:00:55.174827Z", "updated_at": "2026-04-10T02:00:05.353712Z", "deleted_at": null, "main_name": "BlackByte", "aliases": [ "BlackByte", "Hecamede" ], "source_name": "MITRE:BlackByte", "tools": [ "AdFind", "BlackByte Ransomware", "Exbyte", "Arp", "BlackByte 2.0 Ransomware", "PsExec", "Cobalt Strike", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434399, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4123e7809172b1aef9790e49c53d61c26c37a6f2.pdf", "text": "https://archive.orkl.eu/4123e7809172b1aef9790e49c53d61c26c37a6f2.txt", "img": "https://archive.orkl.eu/4123e7809172b1aef9790e49c53d61c26c37a6f2.jpg" } }