Vice Society Group Using Custom-Branded PolyVice Ransomware

The Vice Society group is using a new custom-branded ransomware payload in recent intrusions. This new variant is named "PolyVice". It implements a robust hybrid encryption scheme that that combines asymmetric and symmetric encryption to securely encrypt files. The algorithms in use are NTRUEncrypt and ChaCha20-Poly1305. The extension ".ViceSociety" was added to encrypted file names in a recent intrusion and the ransom note was placed in a file named "AllYFilesAE" in each encrypted directory. Further analysis into the PolyVice payload revealed that the codebase for the Windows payload has been used to build custom-branded payloads for other threat groups, including the "Chily" and "SunnyDay" ransomware. SentinelOne assesses it is likely an unknown developer or group of developers, specialized in ransomware development, is creating custom-branded payloads for multiple groups. Vice Society operators have deployed third-party ransomware payloads in their past intrusions, including HelloKitty, Five Hands, and Zeppelin.