With 33 victims in 2022, the Vice Society cybercrime organization outperformed other malware groups like LockBit, BlackCat, BianLian, and Hive in its preference for educational institutions.

Health, government, industrial, retail, and legal support are some other well-known industry verticals that have been targeted. According to an examination of leak site data by Palo Alto Networks Unit 42.

Vice Society was listed as one of the “most influential ransomware gangs of 2022” by the cybersecurity firm.  Attackers using the Vice Society ransomware specifically targeted schools in 2022.

The United States has reported 35 cases out of the 100 organizations affected, followed by 18 cases in the United Kingdom. Also seven in Spain, six issues in Brazil and France, four in Germany and Italy, and three in Australia.

Vice Society, which has been operating since May 2021, differs from other ransomware groups in that it does not create its ransomware strain. Instead using HelloKitty and Zeppelin ransomware files offered on dark web forums.


Microsoft, which monitors the behavior under the handle DEV-0832, said the organization sometimes avoids using ransomware. Instead uses stolen data that has been exfiltrated to carry out extortion.

The operators have been seen utilizing internet-facing programs to leverage compromised credentials to gain initial network access and abusing known security holes to escalate privileges.

It will be terrible for that business if you attacked and closed down their monetary payment system, “explained Olson. “However, if a college starts to close in a community, it will affect all children, teachers, and parents. It will undoubtedly make the news. Administrators will be under significant pressure to get things operating again as a result. Ransomware authors want victims to be in a situation where they must immediately resume business operations since that will force them to pay.

Final Thoughts

The incident response activities of Unit 42 reveal that the organization spends six days in the settings of the victims. And that the first ransom sums may surpass $1 million. However, after negotiations, this price may fall by as much as 60% to $460,000.

According to Unit 42 researcher JR Gumarin, “school districts with poor cybersecurity capabilities and tight resources are frequently the most susceptible to threat actors.”

Vice Society consistently targets the education sector, especially around the beginning of September. That is a warning that their ads have been designed to capitalize on the U.S. school year.