Vice Society

Vice Society

History of Vice Society

The Vice Society ransomware group which started in early to mid 2021. It targets both Windows and Linux variations operating systems which the latter mainly focussed on virtual operating environments such as VMWare ESXi. The Vice Society group uses the classic double extortion approach.

Selected Attacks

Vice Society - also known as PolyVice - is well-known for targeting educational organisations such as the UK Scholars’ Education Trust but other sectors which have been attacked include healthcare and non-governmental organizations (NGOs). Probably the highest profile attack was the attack on the San Francisco rapid transit system.

Technical Details

Although the data exfiltration aspect appears to be written in PowerShell, the Vice Society encryption element executes as a C++ exdcutable. Vice Society encrypts files uses the ChaCha20-Poly1305 encryption algorithm. Once the file is encrypted, it was given the extension ‘SunnyDay’ and a ransomware note is dropped into the target folder. Folders/files that are not encrypted are those that contain old, Backup, Delete, Snap, Backup, System, Windows, Chrome, Mozilla, ESET, Package Cache, VMWare, Microsoft, Sophos, System Volume Information, PerfLogs, Recovery, Boot, Program Files, ProgramData, msys64, apache-ant, libarchive,MinGW, Ruby, mysql-connector, svm-map, TDM-GCC, Windows, inetpub, pris_temp, Request, ESET, VMMShare, Logs, System Volume Information, WindowsAzure, Packages, .cargo, .gradle, Windows)

Ransom Note

The Vice Society ransom note is called ‘!-Recovery_Instructions-!.html’. The content of the ransom note is:

<!DOCTYPE html>

If you get this message, your network was hacked!

After we gained full access to your servers, we first downloaded a large amount of sensitive data and then encrypted all the data stored on them.

That includes personal information on your clients, partners, your personnel, accounting documents, and other crucial files that are necessary for your company to work normally.

We used modern complicated algorithms, so you or any recovery service will not be able to decrypt files without our help, wasting time on these attempts instead of negotiations can be fatal for your company.

Make sure to act within 72 hours or the negotiations will be considered failed!

Inform your superior management about what's going on.

Contact us for price and get decryption software.

Contact us by email:

restoreassistance_net@wholeness.business

If you will get no answer within 24 hours contact us by our alternate emails:

restoreassistance_net@decorous.cyou

</p>To verify the possibility of the recovery of your files we can decrypted 1-3 file for free.</p> </p>Attach file to the letter (no more than 5Mb).</p>

If you and us succeed the negotiations we will grant you:

  • complete confidentiality, we will keep in secret any information regarding to attack, your company will act as if nothing had happened.
  • comprehensive information about vulnerabilities of your network and security report.
  • software and instructions to decrypt all the data that was encrypted.
  • all sensitive downloaded data will be permanently deleted from our cloud storage and we will provide an erasure log.

Our options if you act like nothing's happening, refuse to make a deal or fail the negotiations:

  • inform the media and independent journalists about what happened to your servers. To prove it we'll publish a chunk of private data that you should have ciphered if you care about potential breaches. Moreover, your company will inevitably take decent reputational loss which is hard to assess precisely.
  • inform your clients, employees, partners by phone, e-mail, sms and social networks that you haven't prevent their data leakage. You will violate laws about private data protection.
  • start DDOS attack on you website and infrastructures.
  • personal data stored will be put on sale on the Darknet to find anyone interested to buy useful information regarding your company. It could be data mining agencies or your market competitors.
  • publish all the discovered vulnerabilities found in your network, so anyone will do anything with it.

Why pay us?

We care about our reputation. You are welcome to google our cases up and be sure that we don't have a single case of failure to provide what we promissed.

Turning this issue to a bug bounty will save your private information, reputation and will allow you to use the security report and avoid this kind of situations in future.

Your personal ID</p> DE8B21E1F893D0D965A7C11E79A8AA60E9A5A6720A5FA3BABA1ADB15FD7872 0261751B4A1CAF2EEF178C7E4B748BD08E7CC2B6B52E963132977FDB2EBE9C 1A717E4EEFA16246C556DCEAC618FE7D662027D5C06ACA8DFB429AE7855305 4FD2C2FDC0255A46D2EA553E6A231FE9B1A4DAFC2AE5BE2C218DBC29680508 F79B15DAADD132462D23EC838263176362D1C61BE99DDC0D7B38EFA2C700C8 8AD0CD21A56F1C49D0A7469AAC0AB90B11454554965C172AA71D76D2877C16 2AEB02D57C5F1F0C49C0353BB32B534D4C8568C800B34C4EE16420B051F545 086A0762703644E03CFED8D709CC4BAC6638B3DCC8B76EB375BF59FD235E5B EE018BFA39005DFE6C521D47B11206C296487B1045D33BF5F47D146EFE46E1 006A285A09865F5E16D324A32C7C41B597156F471CC4C41B4C35272EFF6C45 A2E4698745F8674275E4D640C0D37F95028AB8AAD089F9AF87282C1E0DC485 B2D41BBCA57AD3B1B58D2C7D73E048F1F5465EA4FD16337206AB2B6FF32EB9 8585F0C98E8FB76E51B2E57858159A014C5E97233E25E1DB499DB338FCBAFE 54BCE5E8BBB64241047C1B210807A2F2D80DD3628ACAA6D5C21FC9672A7EF8 B36E55678208011A471127EAE5103A4D92E9CAA4865C47B85A038F30577E36 03BAEE906BB93C041E658D42F42738323EB2C229F01B40B23952DBF711FEDE 37A7217FFBD2263D6E84A9F50E89D3DC43A32E2FCB562C0BCBB5E5EB1D144E 1FB5D4C6A699C2437A24C794A42FBB34C296E0A857B2B5E8C412A3FF76DD56 2468F51524BA5067C6DBE358CB6FF94F3E4A4FD774252E6AC555829A6A0759 26C0ABAC9E9404D7EF85B59CBA35ACAA7B036DBB8E7BCFDD46FCCFF1D037B4 95FC9AA8D26D4B886B43E622DEBC98E4DE1025B336B732530D2D0EC593AC48 481F9D3BFB98DC942CECFEE61D3FD0987C50100216FB1D60C488E8AEEFF481 9F8BCB8499291BDA21DA3847F372F5F0C46E8BCA4A2E12EB6BD72EB0616780 1A42C2E031F4CE4540CDA848783BC9372B1C467A0451CEE71A6093C5DE4468 34B8DDA74676D3222CC6D0E3684C84AFF81CB978EA5F043F59E884212F1D77 E020D11958E8D328B5185ECB2852EE1F3EB440EC5ED747940397E354F9D34E 4E00 ## Recovery Memcrypt Detect identifies live ransomware attacks and uses file and memory forensics to detect, prevent, and recover from forensic attacks. We recovered data using our product against a wide range of ransomware families, including Vice Society, that use standard and non-standard encryption algorithms. Please contact us on sales@memcrypt.io to see how we can assist you in recovering from ransomware. ## References A Look Into Vice Society Ransomware, Another Rust-based Ransomware https://www.sonicwall.com/blog/a-look-into-Vice Society-ransomware-another-rust-based-ransomware Vice Society Ransomware Gang Sets Deadline to Leak Hospital Data https://www.bankinfosecurity.com/Vice Society-ransomware-gang-sets-deadline-to-leak-hospital-data-a-26784 Vice Society ransomware escalates attacks to cloud environments https://www.bleepingcomputer.com/news/security/Vice Society-ransomware-escalates-attacks-to-cloud-environments/ ## DISCLAIMER This document is not a substitute for obtaining security and legal advice. All reasonable measures should be taken to lower the risk of exploitable potential weaknesses. This report does not constitute a guarantee or assurance of compliance. MemCrypt is not ultimately responsible for assessing and meeting compliance responsibilities.