The Vice Society Ransomware gang thrives in a crucial blind spot
Throughout 2021, Vice Society’s healthcare targets included Barlow Respiratory Hospital in California, Eskenazi Health in Indiana, Center Hospitalier D’Arles in France, United Health Centers in California and a dental company in Brazil. The group also attacked New Zealand’s Waikato District Health Board that summer, resulting in, among other things, the cancellation of two Air New Zealand flights; The airline could not obtain evidence of negative Covid-19 tests for crew members because the health department’s digital systems were down.
Vice Society also targeted schools and universities in 2021 and appears to have favored this sector more and more as the US and other countries devote more resources to ransomware enforcement and honing techniques. In the wake of high-profile 2021 attacks, such as the Colonial Pipeline ransomware incident, prominent Russian-speaking actors faced infrastructure removal, indictments, and even rare Russian arrests for their brazen crimes.
Vice Society may see education as a quieter and less well-funded category where it can fly under the radar. For example, the group hit the Austrian Medical University in Innsbruck in June and the Linn-Mar Community School District in Iowa in early August—neither of which would flag as big, obvious targets. Bluet’s maternity hospital in Paris accused the group last week of a ransomware attack on its systems. Vice Society has so far not taken credit for the hack.
“They are a perfect example of the success of mediocrity in the ransomware ecosystem,” says Claire Tills, a researcher for the security firm Tenable who has studied the Vice Society’s tactics and organization. “You have the top level groups developing their own zero days and acting all polished and professional. But meanwhile the Vice Society is just fooling around, not innovating, stealing tools from other people, but they have just enough stability to launch attacks, get paid, keep moving themselves.”
Researchers see the group’s attack on the Los Angeles Unified School District as significant because LAUSD is a big target, and it made more of a splash than most of Vice Society’s other hacks. Tills notes that the group may not have understood the scale and prominence of the school district it was taking on, or may have chosen the target deliberately as a test of whether it was ready to up its game and focus on larger victims. But the apparent failure to secure payment and examination that came from the incident may have warned the group against such visible attacks.
“They focus on not necessarily big goals. Not everyone is aware of how bad and how devastating these attacks are, because they are so regional and they don’t necessarily break into the mainstream, says Recorded Future’s Liska. “You might not want to be Conti and take down an entire country’s health care system, because if you do that, you’re going to anger those countries.”
By focusing on lesser-known schools, Tenable’s Tills warns, the Vice Society may be able to maintain its low profile and continue its streak if defenders and law enforcement don’t prioritize middle-of-the-road ransomware groups.
“Vice Society has taken the approach of knowing that the education sector is not doing well emotionally or financially,” says Tills. “Schools are under so much pressure after being shut down on and off for two years, and ransomware actors know that the more stressed people are, the more likely they are to make suboptimal decisions. The group’s success makes them sustainable, but they’re still kind of written off. So they’re not being raided or arrested as we’ve seen so far. They’re a very good example of what we as an industry are not paying enough attention to.”
