Outsourcing ransomware development.

Cybersecurity firm SentinelOne discovered a new ransomware variant in use by the Vice Society group. It's custom-branded for the group, a first for these threat actors.

PolyVice: a custom strain only in name.

Vice Society activity has been observed since June 2021, and was always seen utilizing third-party ransomware strains, such as “HelloKitty,” “Five Hands,” and “Zeppelin,” SentinelOne reports. The strain seen in a recent intrusion, which the firm’s researchers have dubbed “PolyVice,” appends the file extension of encrypted files to “.ViceSociety.” The recent findings that the Zeppelin ransomware strain implemented weak encryption that allowed for decryption may have been a factor in the group’s implementation of the new PolyVice variant. It is suspected that this ransomware is likely from a vendor, as Chilly ransomware and SunnyDay ransomware have identical functions, with variations only in campaign-specific details.

What can PolyVice do?

BleepingComputer reports that not only does the strain rename the file extension to the group’s identity, but it also has stronger, hybrid encryption, “based on NTRUEncrypt and ChaCha20-Poly1305.” The ransomware has also been seen dropping ransom notes with the name “AllYFilesAE”. "The code design suggests the ransomware developer provides a builder that enables buyers to independently generate any number of lockers/decryptors by binary patching a template payload," SentinelOne says in their report. "This allows buyers to customize their ransomware without revealing any source code. Unlike other known RaaS builders, buyers can generate branded payloads, enabling them to run their own RaaS programs."