{
	"id": "cb78f393-32db-4ac3-87e3-340926fec056",
	"created_at": "2026-04-06T00:16:36.579826Z",
	"updated_at": "2026-04-10T13:12:50.210286Z",
	"deleted_at": null,
	"sha1_hash": "823c07e0ac1cf5368e3e5360c562dfba28b352a6",
	"title": "Vice Society: a discreet but steady double extortion ransomware group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 717557,
	"plain_text": "Vice Society: a discreet but steady double extortion ransomware\r\ngroup\r\nBy Erwan Chevalier,\u0026nbsp;Narimane Lavay\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-07-08 · Archived: 2026-04-05 17:17:36 UTC\r\nTable of contents\r\nAnalysis\r\nVice Society ransomware IOCs\r\nReferences\r\nThis blog post on Vice Society ransomware group was originally published as a FLINT report (SEKOIA.IO Flash\r\nIntelligence) sent to our clients on June 29, 2022.\r\nWhat is Vice Society?\r\nVice Society is a little-known double extortion group that joined the cybercrime ecosystem a year ago. Since\r\nthen, it showed a steady activity, encrypting and exfiltrating its victim’s data and threatening their victims\r\nto leak their information to pressure them into paying a ransom. Unlike other RaaS (Ransomware-as-a-Service) double extortion groups, Vice Society focuses on getting into the victim system to deploy ransomware\r\nbinaries sold on Dark web forums. This is likely a way for this group to save resources in developing its own\r\nransomware.\r\nSEKOIA.IO investigations show they are currently leveraging the Zeppelin ransomware targeting Windows\r\nsystems, while HelloKitty samples were retrieved from their campaigns targeting Linux systems at the end of\r\n2021. We also believe the group representatives are English native speakers.\r\nAnalysis\r\nThe Vice Society group mainly targets small or middle-sized companies in human-operated double-extortion\r\ncampaigns.\r\nhttps://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group\r\nPage 1 of 6\n\nSince its launch and until mid-June 2022, the group claimed campaigns targeting at least 88 victims, all of whom\r\nare still listed on their dedicated data leak site (DLS).\r\nWhile some ransomware gangs refrain from targeting healthcare, government and education organisations, Vice\r\nSociety was not observed applying such restrictions. This group notably targets public school districts and other\r\nacademic institutions, as 26.1% of the victims listed on their data leak site are educational-related entities. The\r\ngroup also shows a strong focus on the health sector.\r\nFigure 1. Evolution of publicly disclosed ViceSociety ransomware attacks\r\nWhen asked by BleepingComputer why it targets healthcare organisations, the group responded with the following\r\nmessage: “Why not? They always keep our private data open. […] they don’t even try to protect our data. They\r\nhave billions of government money. […] USA president gave a big amount to protect government networks and\r\nwhere is their protection? Where is our protection? If the IT department doesn’t want to do their job we will do\r\nours and we don’t care if it is a hospital or university.”\r\nFigure 2. Sectors most impacted by the Vice Society ransomware group\r\nhttps://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group\r\nPage 2 of 6\n\n73.9% of known victims of this cybercriminal group are located in France, the United States of America, the\r\nUnited Kingdom, Spain, Italy, Germany and Brazil.\r\nFigure 3. Countries most impacted by the Vice Society ransomware group, by increasing number of attacks\r\nVice Society Data Leak Site onion displays an old style design and old HTML coding style, it is written in UK\r\nEnglish language oftentimes showing a cynical sense of humour. We assess this threat group possibly\r\nimpersonates a British persona as part of their TTPs.\r\nFigure 4. Samples of cynical messages published alongside victims’ leak\r\nVice Society group operators leverage very common pentesters skills, as described by Talos in one of their report.\r\nExploiting publicly available vulnerabilities (such as PrintNightmare) to perform remote code execution seems to\r\nbe the most advanced technique the group has been observed using. Additionally, Vice Society does not resort to\r\nself developed capabilities.\r\nhttps://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group\r\nPage 3 of 6\n\nFigure 5. Vice Society ransom note left by a ransomware sample\r\nBased on their ransom note, SEKOIA.IO found several samples embedding this note. While the ransom notes\r\nevolved over time, their principal point of contact (v-society[.]official@onionmail[.]org) and DLS remain the\r\nsame.\r\nOldest samples from 2021 are HelloKitty ransomware for Linux (ELF binaries), and most recent ones (June 2022)\r\nare Zeppelin ransomware. The Zeppelin samples masquerade as legitimate Windows processes and seem to be\r\nlinked to the PrintNightmare vulnerability exploitation. They are customised for Vice Society (besides the ransom\r\nnote) with the file encrypted extension using the format “.v-society.XXX-XXX-XXX”, which is consistent with\r\nother ransomware operators using the Zeppelin ransomware.\r\nThe Zeppelin ransomware is offered as a Ransomware-as-a-Service (RaaS) on several Russian-speaking\r\ncybercrime forums (such as XSS, BHF, DarkMarket, IFUD). The ransomware developers behind Zeppelin goes\r\nunder the name “buransupport” and its presence on several underground forums dates back to at least May 2019.\r\nOn 5 November 2019, the actors behind the “buransupport” moniker began to advertise a ransomware variant\r\ncalled Zeppelin. At first, the goal was to share the builder in order to obtain some reviews of the new Zeppelin\r\nencrypter (based on the VegaLocker and Buran malware).\r\nIn June 2021, “buransupport” was advertising an affiliate program for its “Offline ransomware Zeppelin”.\r\nhttps://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group\r\nPage 4 of 6\n\nFigure 6. Zeppelin offline crypto-locker advertisement on a cybercrime forum on 13 June 2021\r\nThe author of the publication describes the ransomware functionalities, including “a robust crypto algorithm using\r\nglobal and session key + random file keys, scanning of all local drives and all available network paths, high speed,\r\ntermination of some processes to release open files, possibility to encrypt files without extensions change”.\r\n“Buransupport” is still present and active on cybercrime forums, but no activity related to the Zeppelin\r\nransomware was reported in 2022.\r\nSEKOIA.IO assess that the Vice Society group is currently staying under the radar, likely as a way to not attract\r\nLaw Enforcement Agencies (LEA)’s attention and continue their activities in the long term.\r\nAs for the low number of ViceSociety related samples found in public repositories SEKOIA.IO assess it is\r\npossibly linked to the lack of cybersecurity resources of their main targeted verticals – healthcare and education.\r\nAn other possible explanation, as described by Talos, is that their Defensive evasion techniques (e.g. deleting\r\nsecurity logs), limit the possibility of investigating during post-incident.\r\nHelloKitty samples from end of 2021 (for Linux) with Vice Society ransom note:\r\n78efe6f5a34ba7579cfd8fc551274029920a9086cb713e859f60f97f591a7b04\r\n754f2022b72da704eb8636610c6d2ffcbdae9e8740555030a07c8c147387a537\r\nRecent samples (may 2022), using Zeppelin ransomware with the Vice Society ransom note. Some of these\r\nsamples use Windows binary names.\r\n24efa10a2b51c5fd6e45da6babd4e797d9cae399be98941f950abf7b5e9a4cd7\r\nhttps://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group\r\nPage 5 of 6\n\n307877881957a297e41d75c84e9a965f1cd07ac9d026314dcaff55c4da23d03e\r\nAb440c4391ea3a01bebbb651c80c27847b58ac928b32d73ed3b19a0b17dd7e75\r\nAa7e2d63fc991990958dfb795a0aed254149f185f403231eaebe35147f4b5ebe\r\nbafd3434f3ba5bb9685e239762281d4c7504de7e0cfd9d6394e4a85b4882ff5d\r\nYARA\r\nhttps://github.com/reversinglabs/reversinglabs-yara-rules/blob/develop/yara/ransomware/Win32.Ransomware.Zeppelin.yara\r\nReferences\r\nSEKOIA.IO Cyber Threat Intelligence Investigation\r\nhttps://twitter.com/demonslay335/status/1403109032014061568\r\nhttps://www.theregister.com/2022/02/08/optionis_vice_society/\r\nhttps://www.bleepingcomputer.com/forums/t/708565/zeppelin-ransomware-support-topic/page-7\r\nhttps://blog.talosintelligence.com/vice-society-ransomware-printnightmare/\r\nIf you liked this article, you can also read our blog post: XDR vs Ransomware.\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nRead also :\r\nCTI Ransomware\r\nShare this post:\r\nSource: https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group\r\nhttps://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sekoia.io/vice-society-a-discreet-but-steady-double-extortion-ransomware-group"
	],
	"report_names": [
		"vice-society-a-discreet-but-steady-double-extortion-ransomware-group"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434596,
	"ts_updated_at": 1775826770,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/823c07e0ac1cf5368e3e5360c562dfba28b352a6.pdf",
		"text": "https://archive.orkl.eu/823c07e0ac1cf5368e3e5360c562dfba28b352a6.txt",
		"img": "https://archive.orkl.eu/823c07e0ac1cf5368e3e5360c562dfba28b352a6.jpg"
	}
}