Throughout 2021, Vice Society’s health care targets included Barlow Respiratory Hospital in California, Eskenazi Health in Indiana, Centre Hospitalier D’Arles in France, United Health Centers in California, and a dental company in Brazil. The group also attacked New Zealand’s Waikato District Health Board that summer, which, among other impacts, resulted in the cancellation of two Air New Zealand flights; the airline couldn’t obtain proof of negative Covid-19 tests for crew members because the health department’s digital systems were down.
Vice Society also targeted schools and universities in 2021 and seems to have favored this sector more and more as the United States and other countries devote more resources to ransomware enforcement and hone mitigation techniques. In the wake of high-profile 2021 attacks, like the Colonial Pipeline ransomware incident, prominent Russian-speaking actors faced infrastructure takedowns, indictments, and even rare Russian arrests for their brazen crimes.
Vice Society may view education as a quieter and less well funded category where it can fly under the radar. For example, the group hit the Austrian Medical University of Innsbruck in June and Linn-Mar Community School District in Iowa at the beginning of August—neither of which many people would flag as major, obvious targets. The Bluets maternity hospital in Paris accused the group last week of a ransomware attack on its systems. Vice Society has not taken credit so far for the hack.
“They’re a perfect example of the success of mediocrity in the ransomware ecosystem,” says Claire Tills, a researcher for the security firm Tenable who has studied Vice Society’s tactics and organization. “You have the top-tier groups developing their own zero days and acting all polished and professional. But meanwhile, Vice Society is just chugging along, not really innovating, stealing tools from other folks, but they have just enough stability to launch attacks, get paid, keep moving.”
Researchers view the group’s attack on the Los Angeles Unified School District as significant because LAUSD is a major target, and it made more of a splash than most of Vice Society’s other hacks. Tills notes that the group may not have understood the scale and prominence of the school district it was taking on or may have chosen the target deliberately as a test of whether it was ready to up its game and focus on larger victims. But the apparent failure to secure payment and scrutiny that came from the incident may have warned the group off of such visible attacks.
“They’re focusing on not necessarily big targets. Not everyone is aware of how bad and how devastating these attacks are, because they are so regional and they don’t necessarily break into the mainstream,” Recorded Future’s Liska says. “You may not want to be Conti and take down a whole country’s health care system, because if you do, you’re going to draw the ire of these countries.”
By focusing on lesser-known schools, Tenable’s Tills warns, Vice Society may be able to maintain its low profile and continue its streak if defenders and law enforcement don’t make mid-tier ransomware groups a higher priority.
“Vice Society has taken the approach of knowing that the education sector isn’t doing great emotionally or financially,” Tills says. “Schools are under so much pressure after being closed on and off for two years, and ransomware actors know that the more stressed people are, the more likely they are to make suboptimal decisions. The group’s success makes them sustainable, but they’re still kind of written off. So they’re not getting raided or arrested that we’ve seen so far. They’re a really good example of what we as an industry are not paying enough attention to.”