{
	"id": "7ce0ebc4-6074-4a6c-96dc-b196c35c7b20",
	"created_at": "2026-04-06T00:07:26.07837Z",
	"updated_at": "2026-04-10T03:34:18.761298Z",
	"deleted_at": null,
	"sha1_hash": "ce5d10c27ebe02cbd88e5a8020c11412cfccc5f4",
	"title": "#StopRansomware: Vice Society | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 121678,
	"plain_text": "#StopRansomware: Vice Society | CISA\r\nPublished: 2022-09-08 · Archived: 2026-04-05 19:14:31 UTC\r\nSummary\r\nActions to take today to mitigate cyber threats from ransomware:\r\n• Prioritize and remediate known exploited vulnerabilities.\r\n• Train users to recognize and report phishing attempts.\r\n• Enable and enforce multifactor authentication.\r\nNote: This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish\r\nadvisories for network defenders that detail various ransomware variants and ransomware threat actors. These\r\n#StopRansomware advisories include recently and historically observed tactics, techniques, and procedures\r\n(TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit\r\nstopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats\r\nand no-cost resources.\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the\r\nMulti-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint CSA to disseminate IOCs\r\nand TTPs associated with Vice Society actors identified through FBI investigations as recently as September 2022.\r\nThe FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the\r\neducation sector with ransomware attacks.\r\nOver the past several years, the education sector, especially kindergarten through twelfth grade (K-12) institutions,\r\nhave been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access\r\nto networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal\r\ninformation regarding students and staff. The FBI, CISA, and the MS-ISAC anticipate attacks may increase as the\r\n2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks.\r\nSchool districts with limited cybersecurity capabilities and constrained resources are often the most vulnerable;\r\nhowever, the opportunistic targeting often seen with cyber criminals can still put school districts with robust\r\ncybersecurity programs at risk. K-12 institutions may be seen as particularly lucrative targets due to the amount of\r\nsensitive student data accessible through school systems or their managed service providers.\r\nThe FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations\r\nsection of this CSA to reduce the likelihood and impact of ransomware incidents.\r\nDownload the PDF version of this report: pdf, 521 KB\r\nDownload the IOCs: .stix 31 kb\r\nTechnical Details\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nPage 1 of 8\n\nNote: This advisory uses the MITRE ATT\u0026CK® for Enterprise framework, version 11. See MITRE ATT\u0026CK for\r\nEnterprise  for all referenced tactics and techniques.\r\nVice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice\r\nSociety actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of\r\nHello Kitty/Five Hands and Zeppelin ransomware, but may deploy other variants in the future.\r\nVice Society actors likely obtain initial network access through compromised credentials by exploiting internet-facing applications [T1190 ]. Prior to deploying ransomware, the actors spend time exploring the network,\r\nidentifying opportunities to increase accesses, and exfiltrating data [TA0010 ] for double extortion--a tactic\r\nwhereby actors threaten to publicly release sensitive data unless a victim pays a ransom. Vice Society actors have\r\nbeen observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike to move\r\nlaterally. They have also used “living off the land” techniques targeting the legitimate Windows Management\r\nInstrumentation (WMI) service [T1047 ] and tainting shared content [T1080 ].\r\nVice Society actors have been observed exploiting the PrintNightmare vulnerability (CVE-2021-1675 and CVE-2021-34527 ) to escalate privileges [T1068 ]. To maintain persistence, the criminal actors have been observed\r\nleveraging scheduled tasks [T1053 ], creating undocumented autostart Registry keys [T1547.001 ], and\r\npointing legitimate services to their custom malicious dynamic link libraries (DLLs) through a tactic known as\r\nDLL side-loading [T1574.002 ]. Vice Society actors attempt to evade detection through masquerading their\r\nmalware and tools as legitimate files [T1036 ], using process injection [T1055 ], and likely use evasion\r\ntechniques to defeat automated dynamic analysis [T1497 ]. Vice Society actors have been observed escalating\r\nprivileges, then gaining access to domain administrator accounts, and running scripts to change the passwords of\r\nvictims’ network accounts to prevent the victim from remediating. \r\nIndicators of Compromise (IOCs)\r\nEmail Addresses\r\nv-society.official@onionmail[.]org\r\nViceSociety@onionmail[.]org\r\nOnionMail email accounts in the format of [First Name][Last Name]@onionmail[.]org\r\nTOR Address\r\nhttp://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nPage 2 of 8\n\nIP Addresses for C2 Confidence Level\r\n5.255.99[.]59 High Confidence\r\n5.161.136[.]176 Medium Confidence\r\n198.252.98[.]184 Medium Confidence\r\n194.34.246[.]90 Low Confidence\r\nSee Table 1 for file hashes obtained from FBI incident response investigations in September 2022.\r\nTable 1: File Hashes as of September 2022\r\nMD5 SHA1\r\nfb91e471cfa246beb9618e1689f1ae1d a0ee0761602470e24bcea5f403e8d1e8bfa29832\r\n  3122ea585623531df2e860e7d0df0f25cce39b21\r\n  41dc0ba220f30c70aea019de214eccd650bc6f37\r\n  c9c2b6a5b930392b98f132f5395d54947391cb79\r\nMITRE ATT\u0026CK TECHNIQUES\r\nVice Society actors have used ATT\u0026CK techniques, similar to Zeppelin techniques, listed in Table 2.\r\nTable 2: Vice Society Actors ATT\u0026CK Techniques for Enterprise\r\nInitial Access\r\nTechnique Title ID Use\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nVice Society actors exploit vulnerabilities in an internet-facing\r\nsystems to gain access to victims’ networks.\r\nValid Accounts T1078\r\nVice Society actors obtain initial network access through\r\ncompromised valid accounts.\r\nExecution\r\nTechnique Title ID Use\r\nWindows\r\nManagement\r\nInstrumentation\r\n(WMI)\r\nT1047\r\nVice Society actors leverage WMI as a means of “living off the land”\r\nto execute malicious commands. WMI is a native Windows\r\nadministration feature.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nPage 3 of 8\n\nScheduled Task/Job T1053\r\nVice Society have used malicious files that create component task\r\nschedule objects, which are often mean to register a specific task to\r\nautostart on system boot. This facilitates recurring execution of their\r\ncode.\r\nPersistence\r\nTechnique Title ID Use\r\nModify System\r\nProcess\r\nT1543.003 Vice Society actors encrypt Windows Operating functions to\r\npreserve compromised system functions.\r\nRegistry Run\r\nKeys/Startup Folder\r\nT1547.001\r\nVice Society actors have employed malicious files that create an\r\nundocumented autostart Registry key to maintain persistence after\r\nboot/reboot.\r\nDLL Side-Loading\r\nT1574.002\r\nVice Society actors may directly side-load their payloads by planting\r\ntheir own DLL then invoking a legitimate application that executes\r\nthe payload within that DLL. This serves as both a persistence\r\nmechanism and a means to masquerade actions under legitimate\r\nprograms.\r\nPrivilege Escalation\r\nTechnique Title ID Use\r\nExploitation for\r\nPrivilege Escalation\r\nT1068\r\nVice Society actors have been observed exploiting PrintNightmare\r\nvulnerability (CVE-2021-1675 and CVE-2021-34527) to escalate\r\nprivileges.\r\nDefense Evasion\r\nTechnique Title ID Use\r\nMasquerading T1036\r\nVice Society actors may attempt to manipulate features of the files\r\nthey drop in a victim’s environment to mask the files or make the\r\nfiles appear legitimate.\r\nProcess Injection T1055\r\nVice Society artifacts have been analyzed to reveal the ability to\r\ninject code into legitimate processes for evading process-based\r\ndefenses. This tactic has other potential impacts, including the ability\r\nto escalate privileges or gain additional accesses.\r\nSandbox Evasion T1497\r\nVice Society actors may have included sleep techniques in their files\r\nto hinder common reverse engineering or dynamic analysis.\r\nLateral Movement\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nPage 4 of 8\n\nTechnique Title ID Use\r\nTaint Shared Content T1080\r\nVice Society actors may deliver payloads to remote systems by\r\nadding content to shared storage locations such as network drives.\r\nExfiltration\r\nTechnique Title ID Use\r\nExfiltration TA0010\r\nVice Society actors are known for double extortion, which is a\r\nsecond attempt to force a victim to pay by threatening to expose\r\nsensitive information if the victim does not pay a ransom.\r\nImpact\r\nTechnique Title ID Use\r\nData Encrypted for\r\nImpact\r\nT1486\r\nVice Society actors have encrypted data on target systems or on large\r\nnumbers of systems in a network to interrupt availability to system\r\nand network resources.\r\nAccount Access\r\nRemoval\r\nT1531\r\nVice Society actors run a script to change passwords of victims’\r\nemail accounts.\r\nMitigations\r\nThe FBI and CISA recommend organizations, particularly the education sector, establish and maintain strong\r\nliaison relationships with the FBI Field Office in their region and their regional CISA Cybersecurity Advisor. The\r\nlocation and contact information for FBI Field Offices and CISA Regional Offices can be located at\r\nwww.fbi.gov/contact-us/field-offices and www.cisa.gov/cisa-regions, respectively. Through these partnerships, the\r\nFBI and CISA can assist with identifying vulnerabilities to academia and mitigating potential threat activity. The\r\nFBI and CISA further recommend that academic entities review and, if needed, update incident response and\r\ncommunication plans that list actions an organization will take if impacted by a cyber incident.\r\nThe FBI, CISA, and the MS-ISAC recommend network defenders apply the following mitigations to limit\r\npotential adversarial use of common system and network discovery techniques and to reduce the risk of\r\ncompromise by Vice Society actors:\r\nPreparing for Cyber Incidents\r\nMaintain offline backups of data, and regularly maintain backup and restoration.  By instituting this\r\npractice, the organization ensures they will not be severely interrupted, and/or only have irretrievable data.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure. Ensure your backup data is not already infected.\r\nReview the security posture of third-party vendors and those interconnected with your organization.\r\nEnsure all connections between third-party vendors and outside software or hardware are monitored and\r\nreviewed for suspicious activity.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nPage 5 of 8\n\nImplement listing policies for applications and remote access that only allow systems to execute\r\nknown and permitted programs under an established security policy.\r\nDocument and monitor external remote connections. Organizations should document approved\r\nsolutions for remote management and maintenance, and immediately investigate if an unapproved solution\r\nis installed on a workstation.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).\r\nIdentity and Access Management\r\nRequire all accounts with password logins (e.g., service account, admin accounts, and domain admin\r\naccounts) to comply with National Institute of Standards and Technology (NIST) standards for developing\r\nand managing password policies.\r\nUse longer passwords consisting of at least 8 characters and no more than 64 characters in length;\r\nStore passwords in hashed format using industry-recognized password managers;\r\nAdd password user “salts” to shared login credentials;\r\nAvoid reusing passwords;\r\nImplement multiple failed login attempt account lockouts;\r\nDisable password “hints”;\r\nRefrain from requiring password changes more frequently than once per year unless a password is\r\nknown or suspected to be compromised.\r\nNote: NIST guidance suggests favoring longer passwords instead of requiring regular and frequent\r\npassword resets. Frequent password resets are more likely to result in users developing password\r\n“patterns” cyber criminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nRequire phishing-resistant multifactor authentication for all services to the extent possible, particularly\r\nfor webmail, virtual private networks, and accounts that access critical systems.\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized\r\naccounts.\r\nAudit user accounts with administrative privileges and configure access controls according to the\r\nprinciple of least privilege. \r\nImplement time-based access for accounts set at the admin level and higher. For example, the Just-in-Time (JIT) access method provisions privileged access when needed and can support enforcement of the\r\nprinciple of least privilege (as well as the Zero Trust model). This is a process where a network-wide policy\r\nis set in place to automatically disable admin accounts at the Active Directory level when the account is not\r\nin direct need. Individual users may submit their requests through an automated process that grants them\r\naccess to a specified system for a set timeframe when they need to support the completion of a certain task.\r\nProtective Controls and Architecture\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the\r\nspread of ransomware by controlling traffic flows between—and access to—various subnetworks and by\r\nrestricting adversary lateral movement.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nPage 6 of 8\n\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated\r\nransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool\r\nthat logs and reports all network traffic, including lateral movement activity on a network. Endpoint\r\ndetection and response (EDR) tools are particularly useful for detecting lateral connections as they have\r\ninsight into common and uncommon network connections for each host.\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nSecure and closely monitor remote desktop protocol (RDP) use.\r\nLimit access to resources over internal networks, especially by restricting RDP and using virtual\r\ndesktop infrastructure. If RDP is deemed operationally necessary, restrict the originating sources\r\nand require MFA to mitigate credential theft and reuse. If RDP must be available externally, use a\r\nVPN, virtual desktop infrastructure, or other means to authenticate and secure the connection before\r\nallowing RDP to connect to internal devices. Monitor remote access/RDP logs, enforce account\r\nlockouts after a specified number of attempts to block brute force campaigns, log RDP login\r\nattempts, and disable unused remote access/RDP ports.\r\nVulnerability and Configuration Management\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most\r\nefficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.\r\nOrganizations should prioritize patching of vulnerabilities on CISA’s Known Exploited Vulnerabilities\r\ncatalog.\r\nDisable unused ports.\r\nConsider adding an email banner to emails received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nDisable command-line and scripting activities and permissions. Privilege escalation and lateral\r\nmovement often depend on software utilities running from the command line. If threat actors are not able\r\nto run these tools, they will have difficulty escalating privileges and/or moving laterally.\r\nEnsure devices are properly configured and that security features are enabled.\r\nDisable ports and protocols that are not being used for a business purpose (e.g., RDP Transmission\r\nControl Protocol Port 3389).\r\nRestrict Server Message Block (SMB) Protocol within the network to only access servers that are\r\nnecessary, and remove or disable outdated versions of SMB (i.e., SMB version 1). Threat actors use\r\nSMB to propagate malware across organizations.\r\nREFERENCES\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware\r\nresources and alerts.\r\nResource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center\r\n(MS-ISAC) Joint Ransomware Guide.\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment .\r\nREPORTING\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nPage 7 of 8\n\nThe FBI is seeking any information that can be shared, to include boundary logs showing communication to and\r\nfrom foreign IP addresses, a sample ransom note, communications with Vice Society actors, Bitcoin wallet\r\ninformation, decryptor files, and/or a benign sample of an encrypted file.\r\nThe FBI, CISA, and the MS-ISAC strongly discourage paying ransom as payment does not guarantee victim files\r\nwill be recovered. Furthermore, payment may also embolden adversaries to target additional organizations,\r\nencourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.\r\nRegardless of whether you or your organization have decided to pay the ransom, the FBI and CISA urge you to\r\npromptly report ransomware incidents to a local FBI Field Office, or to CISA at report@cisa.gov  or by calling\r\n1-844-Say-CISA (1-844-729-2472). SLTT government entities can also report to the MS-ISAC\r\n(SOC@cisecurity.org or 866-787-4722).\r\nDISCLAIMER\r\nThe information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and the\r\nMS-ISAC do not endorse any commercial product or service, including any subjects of analysis. Any reference to\r\nspecific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does\r\nnot constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, or the MS-ISAC.\r\nRevisions\r\nSeptember 6, 2022: Initial Version\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-249a\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cisa.gov/uscert/ncas/alerts/aa22-249a"
	],
	"report_names": [
		"aa22-249a"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434046,
	"ts_updated_at": 1775792058,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ce5d10c27ebe02cbd88e5a8020c11412cfccc5f4.pdf",
		"text": "https://archive.orkl.eu/ce5d10c27ebe02cbd88e5a8020c11412cfccc5f4.txt",
		"img": "https://archive.orkl.eu/ce5d10c27ebe02cbd88e5a8020c11412cfccc5f4.jpg"
	}
}