Skip to main content

Operator dossier

Vicesociety (also tracked as VICE SOCIETY) is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 188 public victims claimed by this operator between May 31, 2021 and June 20, 2023. Vicesociety is a ransomware group that emerged in May 2021, primarily motivated by financial gain through targeting critical infrastructure and public service organizations. The group's origin and specific affiliations remain largely undetermined by public threat intelligence reporting, though their operational patterns suggest they function as an independent ransomware operation rather than a established RaaS model. Vicesociety primarily gains initial access through exploitation of public-facing applications and credential-based attacks, with documented cases showing they particularly focus on compromising remote access services and vulnerable web applications before deploying their ransomware payload across victim networks. The group has demonstrated a clear preference for targeting educational institutions, government agencies, and healthcare organizations, with their 188 documented victims concentrated heavily in the United States, United Kingdom, Germany, Australia, and Spain, indicating a focus on English-speaking and Western European entities. While specific high-profile campaigns have not been extensively detailed in major public threat intelligence reports from CISA or FBI advisories, the group's consistent targeting of critical sectors like education and healthcare has drawn attention from security researchers monitoring threats to essential services. Vicesociety remains active as of recent threat intelligence assessments, continuing their operations against similar target sectors with no documented law enforcement disruption or significant operational changes.

Most-targeted sectors

Most-affected countries

Recent disclosures by Vicesociety

Most recent 150 of 188 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Vicesociety

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

All groups

Vicesociety

aka VICE SOCIETY · 188 victims indexed · first seen 5 years ago · last activity 3 years ago

188
Victims indexed
#42 of 364 tracked operators
2y 1m
Active period
May 2021 → Jun 2023
27
Countries hit
top United States · 23

At a glance

Status
inactive
Aliases
VICE SOCIETY
First seen
5 years ago
Last activity
3 years ago
Onion sites
9 known endpoints
Primary sector
Education · 52 hits

About

Vicesociety is a ransomware group that emerged in May 2021, primarily motivated by financial gain through targeting critical infrastructure and public service organizations. The group's origin and specific affiliations remain largely undetermined by public threat intelligence reporting, though their operational patterns suggest they function as an independent ransomware operation rather than a established RaaS model. Vicesociety primarily gains initial access through exploitation of public-facing applications and credential-based attacks, with documented cases showing they particularly focus on compromising remote access services and vulnerable web applications before deploying their ransomware payload across victim networks. The group has demonstrated a clear preference for targeting educational institutions, government agencies, and healthcare organizations, with their 188 documented victims concentrated heavily in the United States, United Kingdom, Germany, Australia, and Spain, indicating a focus on English-speaking and Western European entities. While specific high-profile campaigns have not been extensively detailed in major public threat intelligence reports from CISA or FBI advisories, the group's consistent targeting of critical sectors like education and healthcare has drawn attention from security researchers monitoring threats to essential services. Vicesociety remains active as of recent threat intelligence assessments, continuing their operations against similar target sectors with no documented law enforcement disruption or significant operational changes.

References

2 links

External sources curated by the MISP threat-intel community.

Timeline

19 months
2021-05-01T00:00:00+00:00 · 12021-08-01T00:00:00+00:00 · 12022-01-01T00:00:00+00:00 · 342022-03-01T00:00:00+00:00 · 92022-04-01T00:00:00+00:00 · 172022-05-01T00:00:00+00:00 · 102022-06-01T00:00:00+00:00 · 122022-07-01T00:00:00+00:00 · 52022-08-01T00:00:00+00:00 · 82022-09-01T00:00:00+00:00 · 62022-10-01T00:00:00+00:00 · 102022-11-01T00:00:00+00:00 · 112022-12-01T00:00:00+00:00 · 192023-01-01T00:00:00+00:00 · 232023-02-01T00:00:00+00:00 · 22023-03-01T00:00:00+00:00 · 82023-04-01T00:00:00+00:00 · 42023-05-01T00:00:00+00:00 · 52023-06-01T00:00:00+00:00 · 3
2021-05-01T00:00:00+00:002023-06-01T00:00:00+00:00

Top countries

🇺🇸 United States
23
🇬🇧 United Kingdom
9
🇩🇪 Germany
6
🇫🇷 France
3
🇦🇺 Australia
3
🇪🇸 Spain
3
🇮🇩 Indonesia
2
🇧🇷 Brazil
2

Top sectors

Education
52
Government
7
Healthcare
7
Technology
6
Manufacturing
5
Construction
4
Telecommunications
4
Financial Services
4

MITRE ATT&CK

13 techniques · 10 tactics

Tactics

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessLateral MovementCollectionExfiltrationImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1053Scheduled Task/Job
  • T1543Create or Modify System Process
  • T1078Valid Accounts
  • T1562Impair Defenses
  • T1003OS Credential Dumping
  • T1021Remote Services
  • T1083File and Directory Discovery
  • T1005Data from Local System
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

9 known
  • http://4hzyuotli6maqa4u.onion
  • http://ecdmr42a34qovoph557zotkfvth4fsz56twvwgiylstjup4r5bpc4oad.onion
  • http://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onion
  • http://ml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid.onion/partners.html
  • http://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onion
  • http://ssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd.onion/partners.html
  • http://vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad.onion
  • http://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onion
  • http://wmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad.onion/partners.html

Source

Updated 3 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Vicesociety posts a victim.

Add Vicesociety to your watchlist — Pro pings you within 5 minutes of any new Vicesociety leak-site post, Telegram callout, or affiliate-rebrand inference.