Vice Society Ransomware uses PolyVice Payload

Vice Society ransomware gang is now using a new custom payload in its recent cyberattacks. The ransomware variant, dubbed PolyVice, was first seen in the wild in July, but it was used only in September.

PolyVice is a 64-bit binary that uses a hybrid encryption scheme.

• The scheme combines asymmetric encryption with the NTRUEncrypt algorithm and symmetric encryption with the ChaCha20-Poly1305 algorithm.
• Originally, the Vice society group used intermittent encryption or partial encryption technique, where small chunks of files are encrypted instead of encrypting the entire file. This will make the data unusable within a fraction of the time required in comparison to encrypting the entire file.

PolyVice utilizes a multi-threading approach that runs the encryption process via parallel processing on the victim’s processor. It adds .ViceSociety file extension to all encrypted files and drops ransom notes with the file name AllYFilesAE in each encrypted directory.

PolyVice has extensive code similarities with the payloads of the Chily ransomware and SunnyDay ransomware. Rearchers observed some debugging messages in PolyVice’s codebase, suggesting that the Vice Society group’s own ransomware implementation is in its early stage of development. 

There may be some ransomware developers operating a Locker-as-a-Service that provides a builder that allows buyers to independently generate any number of customized lockers/decryptors and run its own RaaS programs. At last, Vice Society, SunnyDay, and Chily ransomware could be byproducts of the same group.

The use of PolyVice indicates that the group is strengthening its ransomware campaigns by using its own expertise, such as the use of stronger encryption algorithms and better intermittent encryption methods.