PolyVice ransomware added by Vice Society to its weapons

December 28, 2022
PolyVice Ransomware Vice Society US Education ThreatGroup Cyberthreat

The Vice Society threat group has added the PolyVice ransomware to its current sets of arsenals for their campaign. This new weapon is a custom-branded ransomware payload authored by the threat group.

According to investigations, the PolyVice ransomware variant was initially spotted by researchers last July. However, the group only started using the variant in late September this year.

The researchers explained that the PolyVice ransomware variant is a 64-bit binary that utilises a hybrid encryption technique. The technique mixes asymmetric encryption with the NTRUEncrypt algorithm and symmetric encryption with the ChaCha20-Poly1305 algorithm.

Moreover, the ransomware group has utilised intermittent or partial encryption, where a small portion of files is encrypted instead of encrypting the whole dataset. This strategy leaves the data unusable within a fraction of the time necessary compared to encrypting the entire document.


The PolyVice ransomware uses an unusual technique for its encryption process.


Based on reports, the PolyVice ransomware uses a multi-threading approach that operates the encryption process through parallel processing on the target’s processor. In addition, every worker node of this parallel processing further analyses the size of the targeted file to estimate the speed for faster and more efficient encryption.

The ransomware fully encrypts documents smaller than five megabytes, and the attack partially encrypts bigger files. The researchers also explained that file sizes between five and 10 MB are encrypted to 2.5 and divided into two chunks. On the other hand, ten pieces of 2.5 MB each are encrypted across the file.

Lastly, the encryption process appends the [.]ViceSociety file extension to all encrypted data and drops ransom notes with the file name AllYFilesAE in each encrypted document. Moreover, each PolyVice worker adds details relevant to decryption at the file footer.

Cybersecurity experts noted that the Vice Society group is upgrading their ransomware campaign by utilising its expertise, such as using better intermittent encryption methods and more robust encryption algorithms. Therefore, organisations and researchers should keep an eye on this threat group as it could attack more entities as it gets more extensive and more hostile.

About the author

Leave a Reply