SentinelLabs details Vice Society ransomware group using custom-branded ransomware payload

SentinelLabs disclosed that the Vice Society group has adopted a new custom-branded ransomware payload in recent intrusions, dubbed ‘PolyVice,’ which implements an encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms. It is also likely that the group behind the custom-branded ransomware for Vice Society is also selling similar payloads to other groups. 

“Using the classic double extortion technique, they set about maximizing financial gain with purely opportunistic targeting. In recent months, Vice Society has expanded its target selection strategy to include additional sensitive sectors,” Antonio Cocomazzi, a senior threat intelligence researcher at SentinelOne, wrote in a company blog post. “The TTPs are nothing new. They include initial network access through compromised credentials, exploitation of known vulnerabilities (e.g., PrintNightmare), internal network reconnaissance, abuse of legitimate tools (aka COTS and LOLBins), commodity backdoors, and data exfiltration.”

Cocomazzi added that rather than using or developing their own locker payload, Vice Society operators have deployed third-party ransomware in their intrusions, including HelloKitty, Five Hands, and Zeppelin.

In a recent intrusion, SentinelLabs identified a ransomware deployment that appended the file extension [dot]ViceSociety to all encrypted files in addition to dropping ransom notes with the file name ‘AllYFilesAE’ in each encrypted directory. “Our initial analysis suggested the ransomware, which we dubbed ‘PolyVice,’ was in the early stages of development. The presence of debugging messages suggested that the Vice Society group may be developing their own ransomware implementation,” the post added.

“Zeppelin ransomware, previously seen used by the group, was recently found to implement a weak encryption scheme that allows for decryption of locked files, potentially motivating the group to adopt a new locker,” according to Cocomazzi. “However, further investigation showed that a decryptor related to the PolyVice variant first appeared in the wild on July 13, 2022, indicating that the locker could not have been in the early stages of development and that a ‘release’ version existed prior to the group’s use of Zeppelin and other ransomware variants.”

SentinelLabs’ analysis suggests that Vice Society has used a toolkit overpopulated with different ransomware strains and variants. “We identified significant overlap in the encryption implementation observed in the ‘RedAlert’ ransomware, a Linux locker variant targeting VMware ESXi servers, suggesting that both variants were developed by the same group of individuals.”

According to Microsoft, Vice Society adopted the RedAlert variant in late September 2022. “We haven’t been able to confirm if a RedAlert Windows variant payload existed in the wild at the time, or if the Windows variant we track as PolyVice has any relation with it,” SentinelLabs said. Further investigation also revealed that the codebase used to build the Vice Society Windows payload has been used to build custom-branded payloads for other threat groups, including the ‘Chily’ and ‘SunnyDay’ ransomware.

Cocomazzi assesses that it is likely that a previously unknown developer or group of developers with specialized expertise in ransomware development is selling custom-branded ransomware payloads to multiple groups. The details embedded in these payloads make it highly unlikely that Vice Society, SunnyDay, and Chily ransomware are operated by the same group.

The delivery method for this ‘Locker as a Service’ is unclear, but the code design suggests the ransomware developer provides a builder that enables buyers to independently generate any number of lockers/decryptors by binary patching a template payload. Cocomazzi added. “This allows buyers to customize their ransomware without revealing any source code. Unlike other known RaaS builders, buyers can generate branded payloads, enabling them to run their own RaaS programs.”

Cocomazzi concluded that the Vice Society group has established itself as a highly-resourced and capable threat actor, capable of successfully carrying out ransom attacks against large environments and with connections within the criminal underground. “The adoption of the PolyVice Ransomware variant has further strengthened their ransomware campaigns, enabling them to quickly and effectively encrypt victims’ data using a robust encryption scheme,” he added.

The ransomware ecosystem is constantly evolving, with the trend of hyperspecialization and outsourcing continuously growing. These groups are focusing on specific skill sets and offering them as a service to other groups, effectively mimicking traditional ‘professional services’ and lowering barriers to entry for less capable groups.

“This trend towards specialization and outsourcing presents a significant threat to organizations as it enables the proliferation of sophisticated ransomware attacks,” Cocomazzi added. “It is crucial for organizations to be aware of this trend and take steps to protect themselves against these increasingly sophisticated threats.”

In July, SentinelLabs identified a new cluster of threat activity targeting Russian organizations increasingly under attack by Chinese APTs. The attacks use phishing emails to deliver Office documents to exploit targets to deliver their RAT of choice, most commonly ‘Bisonal.’ It also assessed ‘with high confidence that the threat actor responsible for the attacks is a Chinese state-sponsored cyber espionage group, as also recently noted by Ukraine CERT (CERT-UA).’

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.