Vice Society’s ransomware gang moves to a new custom encryption key

Vice Society’s ransomware operation switched to a customized ransomware encrypt. This implements a strong hybrid encryption scheme based upon NTRUEncrypt, ChaCha20 and Poly1305.

SentinelOne, a cybersecurity company that discovered and named the new strain “PolyVice”, believes it is likely Vice Society obtained it from a supplier who sells similar tools to other ransomware organizations.

Vice Society was first discovered in summer 2021. They began to steal data from corporate networks, and encrypted devices. They would use double-extortion techniques to steal data from corporate networks and encrypt it, and threaten to release the information if they were not paid.

Vice Society used previously other ransomware operations’ encryptors in attacks such as Zeppelin and Five Hands.

This appears to have been changed by Vice Society, which now uses a new encryption algorithm that was believed to have been generated from a commodity ransomware maker.

The new “PolyVice”, an encryption device

However, the new PolyVice strain gives Vice Society Attacks a distinctive signature. It adds “.ViceSociety.” extension to locked files, and drops ransom notes called ‘AllYFilesAE.

Although the new variation was initially seen in nature on July 13th 2022, it wasn’t adopted fully by the group until much later.

SentinelOne analysis revealed that PolyVice shares many code similarities with SunnyDay ransomware (Chilly ransomware) and SunnyDay ransomware (SunnyDay ransomware), with an almost perfect match in terms of functions.

These differences are due to campaign-specific details such as the file extension and ransom note names, hardcoded master keys, wallpapers, etc. which support the common vendor hypothesis.

SentinelOne explained that the code design indicates the ransomware developer offers a builder that allows buyers to generate any number lockers/decryptors independently by binary patching an template payload.

This allows ransomware buyers to personalize their ransomware, without having to reveal any source code. Buyers can create branded payloads unlike other RaaS builders. This allows them to launch their own RaaS programs.

Hybrid encryption

PolyVice employs a hybrid encryption method that combines asymmetric encryption using the NTRUEncrypt algorithm with symmetric encryption using the ChaCha20–Poly1305 algorithm.

The payload generates a pre-generated 192 bit NTRU public keys and then creates a random 112bit NTRU key pair on compromised systems. This key pairs is unique for each victim.

The pair can then be used to encrypt the ChaCha20/Poly1305 key pairs, which are unique for each file. To protect the NTRU pair from retrieval attempts, it is encrypted with the public NTRU keys.

PolyVice ransomware, 64 bit binary that employs multi-threading to parallel symmetric data encryption and utilizes the victim’s full processor speeding up encryption.

Each worker at PolyVice also reviews the contents of each file to decide if speed optimizations are possible. The file size is a factor in these optimizations. PolyVice applies only when necessary.

• Files less than 5MB are encrypted.
• Files between 5MB to 100MB can be encrypted partly by dividing them into 2.5MB chunks, and then skipping the second.
• Files larger than 100MB will be broken down into 10 evenly distributed pieces, with 2.5MB each piece encrypted.

Each worker at PolyVice writes the footer of each file after encryption. This contains all information required for decryption.

These features suggest that the person who created the ransomware used by Vice Society and SunnyDay is an expert malware developer.

SentinelOne’s results further highlight the growing trend towards outsourcing within the sector, where ransomware gangs pay specialists to build high-performing, sophisticated tools.

These tools can be used to help low-skilled ransomware attackers launch devastating attacks on organizations, depending on their availability and costs.