New custom ransomware variant leveraged by Vice Society operation

BleepingComputer reports that the Vice Society ransomware operation has shifted to the new PolyVice ransomware strain, which includes a robust hybrid encryption scheme combining the asymmetric NTRUEncrypt and symmetric ChaCha20-Poly1305-based encryption algorithms. Initially discovered in July but only fully adopted recently, PolyVice has identical functions as the Chilly and SunnyDay ransomware strains, a report from SentinelOne showed. However, PolyVice used a different file extension, hardcoded master key, ransom note name, and wallpaper than the other strains, prompting researchers to hypothesize that all strains were developed by the same vendor and suggest the growing prevalence of outsourcing in ransomware tool development. "The code design suggests the ransomware developer provides a builder that enables buyers to independently generate any number of lockers/decryptors by binary patching a template payload. This allows buyers to customize their ransomware without revealing any source code. Unlike other known RaaS builders, buyers can generate branded payloads, enabling them to run their own RaaS programs," said SentinelOne.