Freely subscribe to our NEWSLETTER

Key findings:

The Vice Society group has adopted a new custom-branded ransomware payload in recent intrusions.

In a recent intrusion, SentinelLabs identified a ransomware deployment that it dubbed “PolyVice”. Initial examination suggested the ransomware was in the early stages of development, however, further investigation showed that a decryptor related to the PolyVice variant first appeared in the wild on July 13, 2022, indicating that the locker could not have been in the early stages of development and that a "release" version existed prior to the group’s use of Zeppelin and other ransomware variants.

This suggests that Vice Society has used a toolkit overpopulated with different ransomware strains and variants. Further investigation also revealed that the codebase used to build the Vice Society Windows payload has been used to build custom-branded payloads for other threat groups, including the "Chily" and "SunnyDay” ransomware.

It’s likely that the group behind the custom-branded ransomware for Vice Society is also selling similar payloads to other groups.

It appears that a previously unknown developer or group of developers with specialised expertise in ransomware development is selling custom-branded ransomware payloads to multiple groups. The details embedded in these payloads make it highly unlikely that PolyVice, SunnyDay, and Chily ransomware are operated by the same group.

The delivery method for this "Locker as a Service" is unclear, but the code design suggests the ransomware developer provides a builder that enables buyers to customise their ransomware without revealing any source code.

Conclusion

The adoption of the PolyVice Ransomware variant has further strengthened Vice Society’s ransomware campaigns, and the growth in specialisation and outsourcing presents a significant threat to organisations. It is crucial for organisations to be aware of this trend and take steps to protect against these increasingly sophisticated threats.