Sentinelone researchers found that the Vice Society group has acquired custom extortion software, which has implemented a reliable encryption scheme using NTREENCRYPT and ChaCha20-Poly1305 algorithms. This version of the encryption is called Polyvice. It was used in one of the last attacks of the gang and added an expansion .vicesociety to all encrypted files. Notes on a ransom called Allyfilesae were created in every encrypted catalog.
Researchers suggest that the Raistan program is located in the early stages of development, since debugging messages were discovered in its code. In addition, Polyvice turned out to be extremely similar to Redalert, which is why experts put forward the assumption that these programs were developed by the same group.
Further investigation also showed that the Vice Society code base for Windows was used to create useful loads by Chily and Sunnyday.
The encryption scheme used by Polyvice combines asymmetric and symmetrical encryption for reliable encryption of files. The harmfulness uses the quantum-resistant NTREENCRYPT algorithm for asymmetric encryption and the Chacha20-Poly1305 for symmetrical encryption.
Malia uses the Createthread function to create several work processes and relies on the call of Waitformultipleobject for synchronization with the main stream. The main stream and working flows use the end of the input and output completion for data exchange.
Polyvice selectively uses intermittent encryption:
Files less than 5 MB are completely encrypted;
Files from 5 MB to 100 MB are partially encrypted:
5 MB of content is encrypted by separation into 2 parts of 2.5 MB. The first fragment from above and the second fragment from the bottom of the file.
Files more than 100 MB are partially encrypted:
25 MB of content are divided into 10 fragments of 2.5 MB and distributed every 10% of the file size.
The report says that the appearance of Polyvice made the group even more due to the reliable encryption scheme.