From 42bad34d9183ebcffd05136eab8d5c8c283bbe3b Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Thu, 1 Feb 2024 11:01:59 -0800
Subject: [PATCH] [threat-actors] Add Vanilla Tempest

---
 clusters/threat-actor.json | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 7751f86..6c8f96e 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -14329,6 +14329,23 @@
       },
       "uuid": "9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4",
       "value": "Sunglow Blizzard"
+    },
+    {
+      "description": "Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.",
+      "meta": {
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/",
+          "https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation",
+          "https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2",
+          "https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/"
+        ],
+        "synonyms": [
+          "DEV-0832",
+          "Vice Society"
+        ]
+      },
+      "uuid": "c4132d43-2405-43ca-9940-a6f78e007861",
+      "value": "Vanilla Tempest"
     }
   ],
   "version": 298