CISA Cybersecurity Alerts 9.6.22
Ep 29 | 9.6.22

CISA Alert AA22-249A – #StopRansomware: Vice Society.


This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Two Four Nine Alpha.

Original release date: September sixth, twenty twenty two.

CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, or MS ISAC, are releasing this advisory to disseminate indicators of compromise and TTPs associated with Vice Society actors and their ransomware campaigns. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.

Vice Society is an intrusion, exfiltration, and extortion hacking group that first appeared in summer 2021. Vice Society actors do not use a ransomware variant of unique origin. Instead, the actors have deployed versions of Hello Kitty, Five Hands and Zeppelin ransomware, and may deploy other variants.

Vice Society actors obtain initial network access through compromised credentials by exploiting internet-facing applications. Vice Society actors have been observed exploiting the PrintNightmare vulnerability to escalate privileges. Prior to deploying ransomware, the actors spend time exploring the network, identifying opportunities to increase accesses, and exfiltrating data for double extortion. Vice Society actors have been observed using a variety of tools, including SystemBC, PowerShell Empire, and Cobalt Strike for lateral movement. They have also used “living off the land” techniques targeting the legitimate Windows Management Instrumentation service and tainting shared content.

Over the past several years, the education sector, especially K through 12 institutions, have been a frequent target of ransomware attacks. Impacts from these attacks have ranged from restricted access to networks and data, delayed exams, canceled school days, and unauthorized access to and theft of personal information regarding students and staff. Attacks may increase as the 2022/2023 school year begins and criminal ransomware groups perceive opportunities for successful attacks. K through 12 institutions may be seen as particularly lucrative targets due to the amount of sensitive student data accessible through school systems or their managed service providers.

The FBI, CISA, and the MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of the alert documentation linked in the show notes to reduce the likelihood and impact of ransomware incidents. The alert documentation also includes indicators of compromise and a full MITRE ATT&CK mapping for this activity.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.