Vice Society Launches Custom 'PolyVice' Encryptor
Vice Society Launches Custom 'PolyVice' Encryptor
Vice Society is now deploying its own custom encryptor named, 'PolyVice' in attacks. Previously, Vice Society relied on third-party ransomware strains such as HelloKitty (aka FiveHands) and Zeppelin. SentinelOne researchers reported the discovery, observing the ransomware variant on July 13th, 2022, however, it did not appear to be fully adopted into the group's infection chain. An analysis of the 'PolyVice' encryptor finds it uses NTRUEncrypt and ChaCha20-Poly1305 algorithms for its encryption scheme. Coding similarities were found in 'PolyVice' with function matches to Chilly and SunnyDay ransomware. When executed the 'PolyVice' encryptor appends the ".ViceSociety" file extension onto locked files and in addition, drops the ransom note file named, 'AllYFilesAE'. To help optimize the speed of the encryption process, 'PolyVice' uses a "multi-threading approach to parallelize the encryption of the files." Since Vice Society emerged in June 2021, they have established itself as a highly proficient and well-resourced threat actor. Being a highly opportunistic group, Vice Society operators target all verticals with a particular interest in under-resourced industries such as education and healthcare.