{ "id": "d2b2c5c2-f3eb-48a4-899c-70b1991b589e", "created_at": "2026-04-06T00:06:14.043889Z", "updated_at": "2026-04-10T13:12:50.69295Z", "deleted_at": null, "sha1_hash": "9de887801ede1c6ce40feb27f0fa51eb8e4743a4", "title": "Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4123010, "plain_text": "Custom-Branded Ransomware: The Vice Society Group and the\r\nThreat of Outsourced Development\r\nBy Antonio Cocomazzi\r\nPublished: 2022-12-22 · Archived: 2026-04-05 18:43:12 UTC\r\nExecutive Summary\r\nThe Vice Society group has adopted a new custom-branded ransomware payload in recent intrusions\r\nThis ransomware variant, dubbed “PolyVice”, implements a robust encryption scheme, using\r\nNTRUEncrypt and ChaCha20-Poly1305 algorithms\r\nWe assess it is likely that the group behind the custom-branded ransomware for Vice Society is also selling\r\nsimilar payloads to other groups\r\nBackground\r\nFirst identified in June 2021, Vice Society is a well-resourced ransomware group that has successfully breached\r\nvarious types of organizations. Using the classic double extortion technique, they set about maximizing financial\r\ngain with purely opportunistic targeting. In recent months, Vice Society has expanded its target selection strategy\r\nto include additional sensitive sectors.\r\nThe TTPs are nothing new. They include initial network access through compromised credentials, exploitation of\r\nknown vulnerabilities (e.g., PrintNightmare), internal network reconnaissance, abuse of legitimate tools (aka\r\nCOTS and LOLBins), commodity backdoors, and data exfiltration.\r\nRather than using or developing their own locker payload, Vice Society operators have deployed third-party\r\nransomware in their intrusions, including HelloKitty, Five Hands, and Zeppelin.\r\nVice Society Ransomware and Links to Other Ransomware Variants\r\nIn a recent intrusion, we identified a ransomware deployment that appended the file extension .ViceSociety to\r\nall encrypted files in addition to dropping ransom notes with the file name “AllYFilesAE” in each encrypted\r\ndirectory.\r\nOur initial analysis suggested the ransomware, which we dubbed “PolyVice”, was in the early stages of\r\ndevelopment. The presence of debugging messages suggested that the Vice Society group may be developing their\r\nown ransomware implementation.\r\nZeppelin ransomware, previously seen used by the group, was recently found to implement a weak encryption\r\nscheme that allows for decryption of locked files, potentially motivating the group to adopt a new locker.\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 1 of 16\n\nHowever, further investigation showed that a decryptor related to the PolyVice variant first appeared in the wild\r\non July 13, 2022, indicating that the locker could not have been in the early stages of development and that a\r\n“release” version existed prior to the group’s use of Zeppelin and other ransomware variants.\r\nOur analysis suggests that Vice Society has used a toolkit overpopulated with different ransomware strains and\r\nvariants.\r\nWe identified significant overlap in the encryption implementation observed in the “RedAlert”\r\nransomware, a Linux locker variant targeting VMware ESXi servers, suggesting that both variants were\r\ndeveloped by the same group of individuals.\r\nAccording to Microsoft, Vice Society adopted the RedAlert variant in late September 2022. We haven’t\r\nbeen able to confirm if a RedAlert Windows variant payload existed in the wild at the time, or if the\r\nWindows variant we track as PolyVice has any relation with it.\r\nFurther investigation also revealed that the codebase used to build the Vice Society Windows payload has been\r\nused to build custom-branded payloads for other threat groups, including the “Chily” and “SunnyDay”\r\nransomware.\r\nCode similarities between Vice Society and Chily Ransomware\r\nCode similarities between Vice Society and SunnyDay Ransomware\r\nThese numbers provide clear evidence that the code is maintained by the same developers.\r\nThe Vice Society branded payload has 100% matched functions compared to the Chily branded payload,\r\nindicating that the executable codebase is identical.\r\nThe SunnyDay branded payload is an older version of the codebase that has a 100% match on 410\r\nfunctions and is missing an additional 37 net new functions implemented in the Vice Society codebase.\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 2 of 16\n\nThe real difference is in the intended use of the code exemplified by the data section, where all of the ransomware\r\ncampaign details are stored, such as the encrypted file extension, ransom note file name, hardcoded master key,\r\nransom note content, and wallpaper text.\r\nData section comparison Vice Society (above) Chily Ransomware (below)\r\nWe assess it’s likely that a previously unknown developer or group of developers with specialized expertise in\r\nransomware development is selling custom-branded ransomware payloads to multiple groups. The details\r\nembedded in these payloads make it highly unlikely that Vice Society, SunnyDay, and Chily ransomware are\r\noperated by the same group.\r\nThe delivery method for this “Locker as a Service” is unclear, but the code design suggests the ransomware\r\ndeveloper provides a builder that enables buyers to independently generate any number of lockers/decryptors by\r\nbinary patching a template payload. This allows buyers to customize their ransomware without revealing any\r\nsource code. Unlike other known RaaS builders, buyers can generate branded payloads, enabling them to run their\r\nown RaaS programs.\r\nAnalyzing PolyVice | Initialization of the NTRU Asymmetric Keys\r\nPolyVice ransomware is a 64-bit Windows binary compiled with MinGW (SHA1:\r\nc8e7ecbbe78a26bea813eeed6801a0ac9d1eacac )\r\nPolyVice implements a hybrid encryption scheme that combines asymmetric and symmetric encryption to\r\nsecurely encrypt files.\r\nFor asymmetric encryption, it uses an open source implementation of the NTRUEncrypt algorithm, which is\r\nknown to be quantum-resistant. For symmetric encryption, it uses an open source implementation of the\r\nChaCha20-Poly1305 algorithm, a stream cipher with message authentication, a 256-bit key and 96-bit nonce.\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 3 of 16\n\nIn the initialization phase, it imports a hardcoded NTRU Public Key generated offline with the provider\r\nEES587EP1 (192 bits strength):\r\nCode to import the hardcoded master NTRU public key\r\nSubsequently, a new random NTRU key pair is generated on the victim system at runtime with the provider\r\nEES401EP2 (112 bits strength):\r\nNTRU key pairs runtime initialization\r\nThe newly generated NTRU key pair is unique to each execution and tied to the victim system. This is the key that\r\nwill be used for encrypting the ChaCha20-Poly1305 symmetric keys.\r\nIn order to protect the generated NTRU private key, the ransomware encrypts it through the ntru_encrypt\r\nfunction with the hardcoded NTRU public key (also referred as the master public key):\r\nCode to protect the NTRU private key\r\nThe encrypted NTRU private key of the system generated at runtime is stored in a configuration blob. The\r\nconfiguration blob is contained within a custom data structure “CustomConfigBlog”:\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 4 of 16\n\nCustomConfigBlog data structure definition\r\nMoreover, in the configuration blob is stored the random NTRU public key generated on the system:\r\nCode to export the NTRU public key generated at runtime\r\nThe configuration blob is stored in a global variable, allowing it to be retrieved during the symmetric encryption\r\npreparation stage. Once the initialization of the NTRU keys is complete, the malware proceeds to implement a\r\nmethod for parallelizing the encryption routine across multiple workers. This speeds up the encryption process and\r\nmakes it more efficient.\r\nParallelizing Encryption\r\nThe PolyVice locker utilizes a multi-threading approach to parallelize the encryption of the files.\r\nThis is achieved through the CreateThread function to spawn multiple workers and the synchronization with the\r\nmain thread occurs with a WaitForMultipleObject call.\r\nIn order to exchange data between the main thread and the worker threads, it uses an I/O Completion Port, a\r\nhelper function exposed through the Win32 API call CreateIoCompletionPort that provides an efficient way to\r\nmanage concurrent asynchronous I/O requests through a queue.\r\nMore specifically, PolyVice uses the following data structure to exchange data between the main thread and the\r\nworkers:\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 5 of 16\n\nCustomCompletionPortStruct data structure definition\r\nWorker Threads\r\nThe worker threads are in charge of the symmetric encryption of the files content. Each thread constantly polls for\r\nan I/O completion packet from the global I/O completion port. The packet received from\r\nGetQueuedCompletionStatus contains a data structure CustomCompletionPortStruct that is expected to be\r\npopulated by the main thread in the symmetric encryption preparation stage. All the required data to perform the\r\nfile encryption are contained in this data structure.\r\nEach worker thread implements all of the operations to read the file content, perform the ChaCha20-Poly1305\r\nencryption, writing the encrypted blocks back to the file and append the file footer:\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 6 of 16\n\nWorker threads code\r\nThis payload, like many modern ransomware variants, employs optimization techniques in its encryption routine\r\nto improve speed. These optimization efforts often involve additional care in the reading and writing of file\r\nchunks.\r\nThe manner in which these optimizations are carried out is determined by specific parameters set in the\r\nCustomCompletionPortStruct data structure, which is passed to the completion port by the main thread during\r\nthe symmetric encryption preparation stage. The core element that dictates the use of these optimization\r\ntechniques is the size of the file.\r\nThe two functions for reading and writing the file content are shown below:\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 7 of 16\n\nFile blocks Read (left) / Write (right) logics\r\nDue to the compiler optimizations, the code flow of the two functions looks twisted. The code logic can be\r\nsummarized (with file sizes rounded for the sake of simplicity) as follows:\r\nFiles smaller than 5MB are fully encrypted.\r\nFiles with a size between 5MB and 100MB are partially encrypted:\r\nA total of 5MB of content is encrypted by splitting them into 2 chunks of 2.5MB. First chunk from\r\nthe top and the second chunk from the bottom of the file.\r\nFiles bigger than 100MB are partially encrypted:\r\nA total of 25MB of content is encrypted in intermittent mode split into 10 chunks of 2.5MB\r\ndistributed every 10% of the file size.\r\nThe final step in the encryption process is the addition of a file footer to each encrypted file. This is an essential\r\nstep because the file footer contains the necessary information to decrypt the file that can be unlocked only by the\r\nmaster private key holder (usually the attacker).\r\nThe following data structure is appended as file footer to each encrypted file:\r\nCustomFileFooter data structure definition\r\nMain Thread Functionality\r\nOnce the main thread has completed the setup of all worker threads running in the background, the ransomware\r\nproceeds to the file enumeration stage. If no arguments are provided to the process command line, the ransomware\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 8 of 16\n\nwill execute its default behavior.\r\nThis involves the enumeration of all local and remote drives, including network shares:\r\nMain thread file enumeration routine\r\nFor each discovered drive, the function EnumAndEncryptFilesFromPath (pseudo name) is invoked with the root\r\npath as its input parameter. This function uses the Win32 API calls FindFirstFile and FindNextFile to retrieve the\r\npaths of all files from all directories and subdirectories within the starting path.\r\nWhen a new file is discovered, the symmetric encryption preparation stage is invoked through the function\r\nPrepareFileForSymmetricEncryption (pseudo name), and the ransom note is copied into the enumerated\r\ndirectory:\r\nCode for EnumAndEncryptFilesFromPath function\r\nThe PrepareFileForSymmetricEncryption function is used for the symmetric encryption preparation stage:\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 9 of 16\n\nCode for PrepareFileForSymmetricEncryption function\r\nThe function sets up the CustomCompletionPortStruct data structure with the information needed for symmetric\r\nencryption of the file. It then generates and stores a new ChaChaPoly symmetric key and nonce in the data\r\nstructure. It is important to note that this initialization is performed for each file to be encrypted, ensuring that\r\neach file has a unique symmetric key. The ChaChaPoly symmetric key and nonce are then encrypted using the\r\nNTRU public key generated at runtime on the victim system. Once this is done, the file is ready for encryption\r\nand all the required data is set up in the data structure.\r\nThe main thread sends the data structure to the completion port via PostQueuedCompletionStatus, where it will be\r\nretrieved by one of the worker threads that is currently available for processing.\r\nAfter enumerating all the files and sending them to the worker threads, the main thread will use the\r\nWaitForMultipleObjects function to wait until all worker threads have completed their symmetric encryption\r\ntasks.\r\nThe strong encryption scheme and emphasis on performance optimization suggest that the ransomware was likely\r\ndeveloped by an experienced developer or team of developers who are familiar with ransomware development.\r\nConclusion\r\nThe Vice Society group has established itself as a highly-resourced and capable threat actor, capable of\r\nsuccessfully carrying out ransom attacks against large environments and with connections within the criminal\r\nunderground.\r\nThe adoption of the PolyVice Ransomware variant has further strengthened their ransomware campaigns, enabling\r\nthem to quickly and effectively encrypt victims’ data using a robust encryption scheme.\r\nThe ransomware ecosystem is constantly evolving, with the trend of hyperspecialization and outsourcing\r\ncontinuously growing. These groups are focusing on specific skill sets and offering them as a service to other\r\ngroups, effectively mimicking traditional “professional services” and lowering barriers to entry for less capable\r\ngroups.\r\nThis trend towards specialization and outsourcing presents a significant threat to organizations as it enables the\r\nproliferation of sophisticated ransomware attacks. It is crucial for organizations to be aware of this trend and take\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 10 of 16\n\nsteps to protect themselves against these increasingly sophisticated threats.\r\nIndicators of Compromise\r\nType Value Note\r\nSHA1 c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac\r\n“Vice Society”\r\nbranded\r\nransomware\r\npayload\r\n(PolyVice)\r\nSHA1 342c3be7cb4bae9c8476e578ac580b5325342941\r\n“Vice Society”\r\nbranded\r\nransomware\r\npayload\r\n(PolyVice)\r\nSHA256 f366e079116a11c618edcb3e8bf24bcd2ffe3f72a6776981bf1af7381e504d61\r\n“Vice Society”\r\nbranded\r\nransomware\r\npayload\r\n(PolyVice)\r\nSHA1 da6a7e9d39f6a9c802bbd1ce60909de2b6e2a2aa\r\n“RedAlert”\r\nbranded\r\nransomware\r\nlinux variant\r\nSHA256 039e1765de1cdec65ad5e49266ab794f8e5642adb0bdeb78d8c0b77e8b34ae09\r\n“RedAlert”\r\nbranded\r\nransomware\r\nlinux variant\r\nSHA1 2b3fea431f342c7b8bcff4b89715002e44d662c7\r\n“SunnyDay”\r\nbranded\r\nransomware\r\npayload\r\nSHA256 7b379458349f338d22093bb634b60b867d7fd1873cbd7c65c445f08e73cbb1f6\r\n“SunnyDay”\r\nbranded\r\nransomware\r\npayload\r\nSHA1 6cfb5b4a68100678d95270e3d188572a30abd568 “Chily”\r\nbranded\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 11 of 16\n\nransomware\r\npayload\r\nSHA256 4dabb914b8a29506e1eced1d0467c34107767f10fdefa08c40112b2e6fc32e41\r\n“Chily”\r\nbranded\r\nransomware\r\npayload\r\nSHA1 a0f58562085246f6b544b7e24dc78c17ce7ed5ad\r\nNTRU-ChaChaPoly\r\n(PolyVice)\r\nransomware\r\ndecryptor\r\nSHA256 9d9e949ecd72d7a7c4ae9deae4c035dcae826260ff3b6e8a156240e28d7dbfef\r\nNTRU-ChaChaPoly\r\n(PolyVice)\r\nransomware\r\ndecryptor\r\nSHA1 0abc350662b81a7c81aed0676ffc70ac75c1a495\r\nNTRU-ChaChaPoly\r\n(PolyVice)\r\nransomware\r\ndecryptor\r\nSHA256 326a159fc2e7f29ca1a4c9a64d45b76a4a072bc39ba864c49d804229c5f6d796\r\nNTRU-ChaChaPoly\r\n(PolyVice)\r\nransomware\r\ndecryptor\r\nSHA1 3105d6651f724ac90ff5cf667a600c36b0386272\r\nNTRU-ChaChaPoly\r\n(PolyVice)\r\nransomware\r\ndecryptor\r\nSHA256 8c8cb887b081e0d92856fb68a7df0dabf0b26ed8f0a6c8ed22d785e596ce87f4\r\nNTRU-ChaChaPoly\r\n(PolyVice)\r\nransomware\r\ndecryptor\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 12 of 16\n\nFile\r\nextension\r\n.ViceSociety\r\nVice Society\r\nfile extension\r\nappended to\r\nencrypted files\r\nFile\r\nextension\r\n.v-society\r\nVice Society\r\nfile extension\r\nappended to\r\nencrypted files\r\nFile\r\nname\r\nAllYFilesAE\r\nVice Society\r\nransom note\r\nfile name\r\nFile\r\nname\r\nALL YOUR FILES ARE ENCRYPTED!!!\r\nVice Society\r\nransom note\r\nfile name\r\nEmail\r\naddress\r\nv-society.official@onionmail[.]org\r\nVice Society\r\nmain email\r\nEmail\r\naddress\r\nEliasDibbert@onionmail[.]org\r\nVice Society\r\nalternative\r\nemail\r\nEmail\r\naddress\r\nYvoneKirlin@onionmail[.]org\r\nVice Society\r\nalternative\r\nemail\r\nEmail\r\naddress\r\nNormanTerry@onionmail[.]org\r\nVice Society\r\nalternative\r\nemail\r\nEmail\r\naddress\r\nSylvesterTurcotte@onionmail[.]org\r\nVice Society\r\nalternative\r\nemail\r\nTor\r\naddress\r\nvsociethok6sbprvevl4dlwbqrzyhxcxaqpvcqt5belwvsuxaxsutyad[.]onion\r\nVice Society\r\nmain tor\r\nwebsite\r\nTor\r\naddress\r\nvsocietyjynbgmz4n4lietzmqrg2tab4roxwd2c2btufdwxi6v2pptyd[.]onion\r\nVice Society\r\nmirror tor \r\nwebsite\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 13 of 16\n\nTor\r\naddress\r\nssq4zimieeanazkzc5ld4v5hdibi2nzwzdibfh5n5w4pw5mcik76lzyd[.]onion\r\nVice Society\r\nmirror tor \r\nwebsite\r\nTor\r\naddress\r\nwmp2rvrkecyx72i3x7ejhyd3yr6fn5uqo7wfus7cz7qnwr6uzhcbrwad[.]onion\r\nVice Society\r\nmirror tor \r\nwebsite\r\nTor\r\naddress\r\nml3mjpuhnmse4kjij7ggupenw34755y4uj7t742qf7jg5impt5ulhkid[.]onion\r\nVice Society\r\nmirror tor \r\nwebsite\r\nTor\r\naddress\r\nfuckcisanet5nzv4d766izugxhnqqgiyllzfynyb4whzbqhzjojbn7id[.]onion\r\nVice Society\r\nmirror tor \r\nwebsite\r\nTor\r\naddress\r\nfuckfbrlvtibsdw5rxtfjxtog6dfgpz62ewoc2rpor2s6zd5nog4zxad[.]onion\r\nVice Society\r\nmirror tor \r\nwebsite\r\nTor\r\naddress\r\nwjdgz3btk257obba7aekowz7ylm33zb6hu4aetxc3bypfajixzvx4iad[.]onion\r\nRedAlert tor\r\nwebsite\r\nYara Hunting Rules\r\nrule MAL_Win_Ransomware_ViceSociety {\r\n meta:\r\n author = \"Antonio Cocomazzi @ SentinelOne\"\r\n description = \"Detect a custom branded version of Vice Society ransomware\"\r\n date = \"2022-11-28\"\r\n reference = \"https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-an\r\n hash = \"c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac\"\r\n strings:\r\n $code1 = {4? 8B ?? 28 00 02 00 }\r\n $code2 = {4? C7 ?? 18 03 02 00 A3 00 00 00}\r\n $code3 = {(48|49) 8D 8? 58 00 02 00}\r\n $code4 = {(48|49) 8D 9? E8 02 02 00}\r\n $code5 = {(48|4C) 89 ?? 24 38}\r\n $code6 = {4? 8B ?? F8 02 02 00}\r\n $code7 = {C7 44 24 48 01 00 00 00}\r\n $string1 = \"vsociet\" nocase wide ascii\r\n condition:\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 14 of 16\n\nuint16(0) == 0x5A4D and all of them\r\n}\r\nrule MAL_Win_Ransomware_PolyVice {\r\n meta:\r\n author = \"Antonio Cocomazzi @ SentinelOne\"\r\n description = \"Detect a windows ransomware variant tracked as PolyVice adopted by multiple threat\r\n date = \"2022-11-28\"\r\n reference = \"https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-an\r\n hash1 = \"c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac\"\r\n hash2 = \"6cfb5b4a68100678d95270e3d188572a30abd568\"\r\n hash3 = \"2b3fea431f342c7b8bcff4b89715002e44d662c7\"\r\n strings:\r\n $code1 = {4? 8B ?? 28 00 02 00 }\r\n $code2 = {4? C7 ?? 18 03 02 00 A3 00 00 00}\r\n $code3 = {(48|49) 8D 8? 58 00 02 00}\r\n $code4 = {(48|49) 8D 9? E8 02 02 00}\r\n $code5 = {(48|4C) 89 ?? 24 38}\r\n $code6 = {4? 8B ?? F8 02 02 00}\r\n $code7 = {C7 44 24 48 01 00 00 00}\r\n condition:\r\n uint16(0) == 0x5A4D and all of them\r\n}\r\nrule MAL_Lin_Ransomware_RedAlert {\r\n meta:\r\n author = \"Antonio Cocomazzi @ SentinelOne\"\r\n description = \"Detect a linux ransomware variant dubbed as RedAlert\"\r\n date = \"2022-11-28\"\r\n reference = \"https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-an\r\n hash = \"da6a7e9d39f6a9c802bbd1ce60909de2b6e2a2aa\"\r\n strings:\r\n $code1 = {BA 48 00 00 00 BE [4] BF [4] E8 [4] BA 48 00 00 00 BE [4] BF [4] E8}\r\n $code2 = {BF [4] 66 [6] 6B 06 E8}\r\n $code3 = {B9 02 00 00 00 [0-12] BE 14 00 00 00 BF}\r\n $code4 = {49 81 FE 00 00 50 00 [0-12] 0F}\r\n $code5 = {49 81 FE 00 00 40 06 [0-12] 0F}\r\n condition:\r\n uint32(0) == 0x464c457f and all of them\r\n}\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 15 of 16\n\nSource: https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nhttps://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/\r\nPage 16 of 16\n\nFor asymmetric known to be encryption, it uses quantum-resistant. an open source For symmetric encryption, implementation it uses of the NTRUEncrypt an open source algorithm, implementation which is of the\nChaCha20-Poly1305 algorithm, a stream cipher with message authentication, a 256-bit key and 96-bit nonce.\n Page 3 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.sentinelone.com/labs/custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development/" ], "report_names": [ "custom-branded-ransomware-the-vice-society-group-and-the-threat-of-outsourced-development" ], "threat_actors": [ { "id": "a6814184-2133-4520-b7b3-63e6b7be2f64", "created_at": "2025-08-07T02:03:25.019385Z", "updated_at": "2026-04-10T02:00:03.859468Z", "deleted_at": null, "main_name": "GOLD VICTOR", "aliases": [ "DEV-0832 ", "STAC5279 ", "Vanilla Tempest ", "Vice Society", "Vice Spider " ], "source_name": "Secureworks:GOLD VICTOR", "tools": [ "Advanced IP Scanner", "Advanced Port Scanner", "HelloKitty ransomware", "INC ransomware", "MEGAsync", "Neshta", "PAExec", "PolyVice ransomware", "PortStarter", "PsExec", "QuantumLocker ransomware", "Rhysida ransomware", "Supper", "SystemBC", "Zeppelin ransomware" ], "source_id": "Secureworks", "reports": null }, { "id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0", "created_at": "2024-02-02T02:00:04.041676Z", "updated_at": "2026-04-10T02:00:03.537352Z", "deleted_at": null, "main_name": "Vanilla Tempest", "aliases": [ "DEV-0832", "Vice Society" ], "source_name": "MISPGALAXY:Vanilla Tempest", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775433974, "ts_updated_at": 1775826770, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9de887801ede1c6ce40feb27f0fa51eb8e4743a4.pdf", "text": "https://archive.orkl.eu/9de887801ede1c6ce40feb27f0fa51eb8e4743a4.txt", "img": "https://archive.orkl.eu/9de887801ede1c6ce40feb27f0fa51eb8e4743a4.jpg" } }