Vice Society has adopted a new custom-branded ransomware payload named PolyVice that uses NTRUEncrypt and ChaCha20-Poly1305 for strong encryption. The analysis indicates the same developers are selling customized payloads to multiple groups, signaling an outsourced ransomware ecosystem. #PolyVice #ViceSociety #RedAlert #Chily #SunnyDay
Keypoints
- The Vice Society group has launched a custom-branded payload called PolyVice that employs NTRUEncrypt and ChaCha20-Poly1305 for encryption.
- Evidence suggests code and tooling are reused across multiple groups (e.g., Chily and SunnyDay), indicating an outsourced development model for ransomware payloads.
- Indicators show Vice Society has deployed third-party ransomware in intrusions, including HelloKitty, Five Hands, and Zeppelin, rather than only their own locker.
- PolyVice appears to be part of a broader “Locker as a Service” ecosystem where buyers can generate branded lockers/decryptors via a template builder without exposing source code.
- Technical analysis reveals per-file NTRU keys and per-file ChaCha20-Poly1305 keys, with runtime key generation and a decryptor component tied to the master key.
- Encryption is parallelized using multi-threading and Windows APIs to speed up processing across local, remote, and network shares, with file-size-based encryption strategies.
- Recent findings emphasize a trend toward hyperspecialization and outsourcing in ransomware, increasing the threat surface for organizations through shared code and services.
MITRE Techniques
- [T1078] Valid Accounts – Initial access via compromised credentials. ‘initial network access through compromised credentials’
- [T1190] Exploit Public-Facing Application – Exploitation of known vulnerabilities (e.g., PrintNightmare). ‘exploitation of known vulnerabilities (e.g., PrintNightmare)’
- [T1016] System Network Configuration Discovery – Internal network reconnaissance. ‘internal network reconnaissance’
- [T1218] Signed Binary Proxy Execution – Abuse of legitimate tools (aka COTS and LOLBins). ‘abuse of legitimate tools (aka COTS and LOLBins)’
- [T1041] Exfiltration – Data exfiltration. ‘data exfiltration’
- [T1486] Data Encrypted for Impact – The ransomware uses a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files. ‘hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files.’
Indicators of Compromise
- [SHA1] context – c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac, 342c3be7cb4bae9c8476e578ac580b5325342941
- [SHA256] context – f366e079116a11c618edcb3e8bf24bcd2ffe3f72a6776981bf1af7381e504d61, 039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09
- [File extension] context – .ViceSociety, .v-society
- [File name] context – AllYFilesAE, ALL YOUR FILES ARE ENCRYPTED!!!
- [Email address] context – v-society.official@onionmail[.]org, EliasDibbert@onionmail[.]org
- [Tor address] context – vsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion, vsocietyjynbgmz4n4lietzmqrg2tab4roxwd2c2btufdwxi6v2pptyd[.]onion