Categories
Audio Sources - Full Text Articles

Vice Society ransomware gang is using a custom locker

Listen to this article

The Vice Society ransomware group has adopted new custom ransomware, with a strong encryption scheme, in recent intrusions.

SentinelOne researchers discovered that the Vice Society ransomware gang has started using a custom ransomware that implements a robust encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms.

Vice Society ransomware has been active since June 2021, it isĀ considered by researchersĀ a spin-off of theĀ HelloKitty ransomware, the malware targets both Windows and Linux systems primarily belonging to small orĀ midsize victims.

This group focuses on public school districts and other educational institutions, like other ransomware gangs it implements a double extortion model and publishes data stolen from the victims on a data leak site.

The new variant, dubbed ā€œPolyViceā€, was used in a recent attack and appended the file extensionĀ ā€œ.ViceSocietyā€Ā to all encrypted files. The malware dropped ransom notes with the file name ā€œAllYFilesAEā€ in each encrypted directory.

The researchers speculate the ransomware was in the early stages of development, they found debugging messages in the code.

SentinelOne noticed a significant overlap with the process implemented in the RedAlert ransomware, a circumstance that suggests that both variants were developed by the same threat actor.

Further investigation also revealed that codebase for the Vice Society Windows payload has been used to build custom-branded payloads for other ransomware groups, such as ā€œChilyā€ and ā€œSunnyDay.ā€

Vice Society ransomware

ā€œWe assess it’s likely that a previously unknown developer or group of developers with specialized expertise in ransomware development is selling custom-branded ransomware payloads to multiple groups. The details embedded in these payloads make it highly unlikely that Vice Society, SunnyDay, and Chily ransomware are operated by the same group.ā€ continues the report. ā€œThe delivery method for this ā€œLocker as a Serviceā€ is unclear, but the code design suggests the ransomware developer provides a builder that enables buyers to independently generate any number of lockers/decryptors by binary patching a template payload.ā€

Buyers can customize their ransomware without revealing any source code and can generate branded payloads to run their own RaaS programs.

The encryption scheme used by PolyVice combines asymmetric and symmetric encryption to securely encrypt files. It leverages a quantum-resistant NTRUEncryptĀ algorithm for asymmetric encryption, and an open source implementationĀ of theĀ ChaCha20-Poly1305Ā algorithm for symmetric encryption.

The PolyVice locker implement a multi-threading approach to parallelize the encryption process.

The malware uses theĀ CreateThreadĀ function to spawn multiple workers and relies on aĀ WaitForMultipleObjectĀ call to synchronize with the main thread,

The main thread and the worker threads use anĀ I/O Completion Port to exchange data.

PolyVice worker reads the file content to determine the speed optimizations to apply which depend on the file size. The PolyVice ransomware appliesĀ intermittent encryptionĀ selectively.

  • Files smaller than 5MB are fully encrypted.
  • Files with a size between 5MB and 100MB are partially encrypted:
    • A total of 5MB of content is encrypted by splitting them into 2 chunks of 2.5MB. First chunk from the top and the second chunk from the bottom of the file.
  • Files bigger than 100MB are partially encrypted:
    • A total of 25MB of content is encrypted in intermittent mode split into 10 chunks of 2.5MB distributed every 10% of the file size.

ā€œThe adoption of the PolyVice Ransomware variant has further strengthened their ransomware campaigns, enabling them to quickly and effectively encrypt victims’ data using a robust encryption scheme.ā€ concludes the report. ā€œTheĀ ransomware ecosystemĀ is constantly evolving, with the trend of hyperspecialization and outsourcing continuously growing.ā€

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

PierluigiĀ Paganini

(SecurityAffairs – hacking, Vice Society ransomware)

The post Vice Society ransomware gang is using a custom locker appeared first on Security Affairs.