SentinelLabs disclosed that the Vice Society group has adopted a new custom-branded ransomware payload in recent intrusions, dubbed ‘PolyVice,’ which implements an encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms.
Vice Society Ransomware
Vice Society, active since June 2021, has been steadily observed encrypting and exfiltrating victim data, and threatening companies with exposure of siphoned information to pressure them into paying a ransom.
entinelLabs identified a ransomware deployment that appended the file extension [dot]ViceSociety to all encrypted files in addition to dropping ransom notes with the file name ‘AllYFilesAE’ in each encrypted directory.
The Vice Society has used a toolkit overpopulated with different ransomware strains and variants. PolyVice ransomware is a 64-bit binary that uses multi-threading for parallel symmetric data encryption, utilizing the victim’s processor in full to speed up the encryption process.
Cocomazzi concluded that the Vice Society group has established itself as a highly-resourced and capable threat actor, capable of successfully carrying out ransom attacks against large environments and with connections within the criminal underground. “The adoption of the PolyVice Ransomware variant has further strengthened their ransomware campaigns, enabling them to quickly and effectively encrypt victims’ data using a robust encryption scheme,” he added.
All these features indicate that whoever develops the new ransomware strains used by Vice Society, Chilly, and SunnyDay ransomware is an experienced and knowledgeable malware creator.
Indicators of Compromise