Go to listing page

Vice Society Adds Custom-branded Payload PolyVice to its Arsenal

Vice Society Adds Custom-branded Payload PolyVice to its Arsenal
Vice Society ransomware gang, which targeted dozens of educational institutions only this year, is now using a new custom-branded ransomware payload in its recent cyberattacks. The ransomware variant, dubbed PolyVice, was first seen in the wild in July, however, the group started using this variant in late September.

PolyVice: the new encryptor

According to a report by SentinelOne researchers, PolyVice is a 64-bit binary that uses a hybrid encryption scheme.
  • The scheme combines asymmetric encryption with the NTRUEncrypt algorithm and symmetric encryption with the ChaCha20-Poly1305 algorithm.
  • Vice Society group has used intermittent encryption or partial encryption technique, where small chunks of files are encrypted instead of encrypting the entire file.
  • This leaves the data unusable within a fraction of the time required in comparison to encrypting the entire file.

Modus operandi

PolyVice utilizes a multi-threading approach that runs the encryption process via parallel processing on the victim's processor. 
  • Each worker node of this parallel processing further analyzes the size of the targeted file to optimize the speed for faster encryption.
  • Files smaller than 5 MB are fully encrypted and bigger files are partially encrypted.  For files between 5 MB and 100 MB, two chunks of 2.5 MB are encrypted, while for larger files, 10 chunks of 2.5 MB each are encrypted across the file.
  • It adds .ViceSociety file extension to all encrypted files and drops ransom notes with the file name AllYFilesAE in each encrypted directory. Moreover, each PolyVice worker adds information necessary for decryption at the file footer.

Code similarities and differences

PolyVice has extensive code similarities with the payloads of the Chily ransomware and SunnyDay ransomware.
  • All these payloads have 100% matched functions and identical executable codebase, however, PolyVice contains some additional new functions.
  • The differences can be noticed in campaign-specific details such as the file extension, hardcoded master key, wallpaper, ransom note name, and content.
  • Moreover, researchers observed some debugging messages in PolyVice’s codebase, suggesting that the Vice Society group’s own ransomware implementation is in its early stage of development. 

A common code base shared among multiple malware (PolyVice, Chily, and SunnyDay) opens up several doors of possibilities to researchers.

Shedding lights on possibilities

  • The Vice Society may have sourced PolyVice from a vendor or a commodity ransomware builder who supplies similar tools to other ransomware groups.
  • There may be some ransomware developers operating a Locker-as-a-Service that provides a builder that allows buyers (Vice Society being one of them) to independently generate any number of customized lockers/decryptors and run its own RaaS programs.
  • At last, Vice Society, SunnyDay, and Chily ransomware could be byproducts of the same group.


The use of PolyVice indicates that the group is strengthening its ransomware campaigns by using its own expertise, such as the use of stronger encryption algorithms and better intermittent encryption methods. Vice Society has a history of deploying third-party ransomware in its intrusions, including HelloKitty, Five Hands, and Zeppelin. These ransomware implemented a weak encryption scheme that allowed for the decryption of locked files, potentially motivating the group to adopt a new locker and a robust encryption scheme.
Cyware Publisher