"Vice Society Ransomware Gang Is Using a Custom Locker"

Researchers from SentinelOne found that the Vice Society ransomware group has begun custom ransomware involving a powerful encryption strategy, which utilizes the NTRUEncrypt and ChaCha20-Poly1305 algorithms. Since June 2021, Vice Society ransomware has been active, with researchers deeming it to be a spin-off of HelloKitty ransomware. It predominantly targets Windows and Linux computers belonging to small and medium-sized organizations. This group targets public school districts and other educational institutions. Like other ransomware gangs, it uses a double extortion model and publishes victim data on a data breach website. In a recent attack, a new variation, named "PolyVice," appended the file extension ".ViceSociety" to all encrypted files. In each encrypted directory, ransom notes with the filename "AllYFilesAE" were dropped by the ransomware. Researchers believe that the malware was still in its early stages of development after discovering debugging messages in its code. SentinelOne discovered a considerable commonality with the method used by the RedAlert ransomware, implying that both variants were created by the same threat actor. Further investigation found that the codebase for the Vice Society Windows payload was also used to construct custom-branded payloads for other ransomware gangs, including "Chily" and "SunnyDay." Buyers can customize their ransomware and build branded payloads to execute their own Ransomware-as-a-Service (RaaS) programs without revealing any source code. PolyVice's encryption system mixes asymmetric and symmetric encryption to encrypt information. For asymmetric encryption, it employs the quantum-resistant NTRUEncrypt algorithm, while for symmetric encryption, it employs an open-source implementation of the ChaCha20-Poly1305 algorithm. In order to parallelize the encryption process, the PolyVice locker employs a multi-threading technique. The malware spawns numerous workers and uses a WaitForMultipleObject call to synchronize with the main thread. The main thread and the worker threads exchange data over an I/O Completion Port. This article continues to discuss findings surrounding the Vice Society ransomware gang's use of new custom ransomware. 

Security Affairs reports "Vice Society Ransomware Gang Is Using a Custom Locker"