top of page

Ransomware group Vice Society target US and UK schools

The ransomware group 'Vice Society' have launched a recent campaign against targets in the education sector, including UK schools.

The launch follows a national alert posted by the US Cybersecurity & Infrastructure Security Agency (CISA); however, Vice Society appear undeterred by the scrutiny.

Vice Society is a ransomware group that first appeared in June 2021 and have become a prominent threat to the education sector. Vice Society have been implementing a simple model of intrusion, exfiltration, then extortion.

The use of Russian written tooling within their ransom campaigns has also indicates that the group may either be based in or linked to Russia.

According to Microsoft’s report, they have observed Vice Society deploying multiple commodity ransomware variants over the past year including BlackCat, QuantumLocker, Zeppelin, and most recently a Vice Society-branded variant of the Zeppelin ransomware.

While many ransomware groups have moved away from branded file extensions in favour of randomly generated ones, Vice Society incorporated branding with their Vice Society variant using .v-s0ciety or .v-society file extensions.

Most recently, in late September 2022, they modified their ransomware payload to a variant dubbed RedAlert, using a .locked file extension.

Speculation in the security community highlights that schools have been likely targeted due to their large amounts of personal data on record combined with relatively low cyber security.

Upon analysis of their leak site, victims are mainly based in the US, but several UK schools have also been targeted.

Vice Society's initial campaigns caught the attention of authorities, with the US-CISA publishing a Vice Society alert in September.

At the time of writing, the additional attention has not appeared to deter Vice Society, who are still listing victims on their leak site as of October 2022 and have even started a blog to voice their own commentary on the cyber landscape.

Although UK targets have been identified in several sectors, there is a clear focus on UK schools: including primary, secondary and higher education.

Many UK schools band together as a trust to operate a joint network running between several schools. While this is a valuable way for trusts to share data, it has also presented the opportunity for Vice Society to exfiltrate data on all schools in the trust, after gaining access to just one network.

Their focus appears to be the education industry and targeting victims with relatively low security controls. The current global scrutiny around the group would suggest they will likely continue to target lower profile organisations.

Vice Society have primarily reported US victims. However, they have been observed previously targeting the UK and there is no evidence to suggest the group will stop viewing the UK as a viable target.

The indicators pointing towards Vice Society being linked to Russia are consistent with this assessment.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page