Cyber Security

Dec 23, 2022Ravie LakshmananRansomware / Endpoint Security

The Vice Society ransomware actors have switched to yet another custom ransomware payload in their recent attacks aimed at a variety of sectors.

“This ransomware variant, dubbed ‘PolyVice,’ implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms,” SentinelOne researcher Antonio Cocomazzi said in an analysis.

Vice Society, which is tracked by Microsoft under the moniker DEV-0832, is an intrusion, exfiltration, and extortion hacking group that first appeared on the threat landscape in May 2021.

Unlike other ransomware gangs, the cybercrime actor does not use file-encrypting malware developed in-house. Instead, it’s known to deploy third-party lockers such as Hello Kitty, Zeppelin, and RedAlert ransomware in their attacks.

Per SentinelOne, indications are that the threat actor behind the custom-branded ransomware is also selling similar payloads to other hacking crews based on PolyVice’s extensive similarities to ransomware strains Chily and SunnyDay.

This implies a “Locker-as-a-Service” that’s offered by an unknown threat actor in the form of a builder that allows its buyers to customize their payloads, including the encrypted file extension, ransom note file name, ransom note content, and the wallpaper text, among others.

The shift from Zeppelin is likely to have been spurred by the discovery of weaknesses in its encryption algorithm that enabled researchers at cybersecurity company Unit221B to devise a decryptor in February 2020.

Besides implementing a hybrid encryption scheme that combines asymmetric and symmetric encryption to securely encrypt files, PolyVice also makes use of partial encryption and multi-threading to speed up the process.

It’s worth pointing out that the recently discovered Royal ransomware employs similar tactics in a bid to evade anti-malware defenses, Cybereason disclosed last week.

Royal, which has its roots in the now-defunct Conti ransomware operation, has also been observed to utilize call back phishing (or telephone-oriented attack delivery) to trick victims into installing remote desktop software for initial access.

Leaked Conti Source Code Fuels Emerging Ransomware Variants

In the meanwhile, the leak of Conti source code earlier this year has spawned a number of new ransomware strains such as Putin Team, ScareCrow, BlueSky, and Meow, Cyble disclosed, highlighting how such leaks are making it easier for threat actors to launch different offshoots with minimum investment.

“The ransomware ecosystem is constantly evolving, with the trend of hyperspecialization and outsourcing continuously growing,” Cocomazzi said, adding it “presents a significant threat to organizations as it enables the proliferation of sophisticated ransomware attacks.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.