{"id":223638,"date":"2023-02-14T15:34:06","date_gmt":"2023-02-14T14:34:06","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=223638"},"modified":"2023-02-14T15:34:06","modified_gmt":"2023-02-14T14:34:06","slug":"vice-society-spreads-its-own-ransomware","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/vice-society-spreads-its-own-ransomware\/","title":{"rendered":"Vice Society spreads its own ransomware"},"content":{"rendered":"[et_pb_section fb_built= \u00bb1\u2033 _builder_version= \u00bb4.19.4\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb][et_pb_row column_structure= \u00bb1_2,1_2\u2033 _builder_version= \u00bb4.19.4\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb][et_pb_column type= \u00bb1_2\u2033 _builder_version= \u00bb4.19.4\u2033 _module_preset= \u00bbdefault \u00bb global_colors_info= \u00bb{} \u00bb][et_pb_text _builder_version= \u00bb4.20.4\u2033 _module_preset= \u00bbdefault \u00bb hover_enabled= \u00bb0\u2033 global_colors_info= \u00bb{} \u00bb text_font_size= \u00bb13px \u00bb sticky_enabled= \u00bb0\u2033]

Vice Society is a financially motivated organization encompassing operators and opportunistic intrusion sets known for intrusion, exfiltration and extortion against a large sample of victims since June 2021. The operator(s) of these alleged intrusion sets offer(s) an active infrastructure as new victims are constantly added to the anonymized dedicated leak site where data of the victims is exposed.<\/p>\n

The actors affiliated with Vice Society leverage not only custom Vice Society branded variants but also several ransomware-as-a-service payloads (BlackCat) as well as purchased malware (Zeppelin) for conducting attack campaigns. Sometimes, affiliates do not or cannot encrypt data, thus resorting only to the exposure of exfiltrated data for getting the ransom paid. The overall TTPs are close to those usually encountered by Russian-speaking extortion groups making headlines in recent years.<\/p>\n

We hereby provide threat intel on a variant of a Vice Society locker specimen, dubbed PolyVice by SentinelOne<\/a>. Slight overall changes were recently observed in terms of file extension and email contact which substantiates that Vice Society affiliates use customizable builders.<\/p>\n

 <\/p>\n

 <\/p>[\/et_pb_text][et_pb_button button_url="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/02\/20230119_TLPCLEAR_Vice_Society_BLOG_Version_EN.pdf" button_text="Continue reading" _builder_version="4.19.4" _module_preset="default" global_colors_info="{}"][\/et_pb_button][\/et_pb_column][et_pb_column type="1_2" _builder_version="4.19.4" _module_preset="default" global_colors_info="{}"][et_pb_image src="https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/02\/couverture-vice.png" alt="Intrinsec's report" title_text="cover-vice" _builder_version="4.19.4" _module_preset="default" global_colors_info="{}"][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure="1_2,1_2" _builder_version="4.19.4" _module_preset="default" global_colors_info="{}"][et_pb_column type="1_2" _builder_version="4.19.4" _module_preset="default" global_colors_info="{}"][\/et_pb_column][et_pb_column type="1_2" _builder_version="4.19.4" _module_preset="default" global_colors_info="{}"][\/et_pb_column][\/et_pb_row][\/et_pb_section]","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":224043,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[62],"class_list":["post-223638","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-non-categorise","tag-cyber-threat-intelligence-en"],"yoast_head":"\nINTRINSEC - Vice Society spreads its own ransomware<\/title>\n<meta name=\"description\" content=\"CERT Intrinsec dealt with the newly discovered bypass of ProxyNotShell named OWASSRF and this article details its modus operandi\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/vice-society-spreads-its-own-ransomware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vice Society spreads its own ransomware\" \/>\n<meta property=\"og:description\" content=\"CERT Intrinsec dealt with the newly discovered bypass of ProxyNotShell named OWASSRF and this article details its modus operandi\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/vice-society-spreads-its-own-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-14T14:34:06+00:00\" \/>\n<meta name=\"author\" content=\"Intrinsec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Intrinsec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/\"},\"author\":{\"name\":\"Intrinsec\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\"},\"headline\":\"Vice Society spreads its own ransomware\",\"datePublished\":\"2023-02-14T14:34:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/\"},\"wordCount\":426,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"keywords\":[\"Cyber Threat Intelligence\"],\"articleSection\":[\"Non cat\u00e9goris\u00e9\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/\",\"name\":\"INTRINSEC - Vice Society spreads its own ransomware\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2023-02-14T14:34:06+00:00\",\"description\":\"CERT Intrinsec dealt with the newly discovered bypass of ProxyNotShell named OWASSRF and this article details its modus operandi\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/vice-society-spreads-its-own-ransomware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vice Society spreads its own ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\",\"name\":\"Intrinsec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"caption\":\"Intrinsec\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/ufhtbqccsz\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"INTRINSEC - Vice Society spreads its own ransomware","description":"CERT Intrinsec dealt with the newly discovered bypass of ProxyNotShell named OWASSRF and this article details its modus operandi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/vice-society-spreads-its-own-ransomware\/","og_locale":"en_US","og_type":"article","og_title":"Vice Society spreads its own ransomware","og_description":"CERT Intrinsec dealt with the newly discovered bypass of ProxyNotShell named OWASSRF and this article details its modus operandi","og_url":"https:\/\/www.intrinsec.com\/en\/vice-society-spreads-its-own-ransomware\/","og_site_name":"INTRINSEC","article_published_time":"2023-02-14T14:34:06+00:00","author":"Intrinsec","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Intrinsec","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/"},"author":{"name":"Intrinsec","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799"},"headline":"Vice Society spreads its own ransomware","datePublished":"2023-02-14T14:34:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/"},"wordCount":426,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"image":{"@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/#primaryimage"},"thumbnailUrl":"","keywords":["Cyber Threat Intelligence"],"articleSection":["Non cat\u00e9goris\u00e9"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/","url":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/","name":"INTRINSEC - Vice Society spreads its own ransomware","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/#primaryimage"},"thumbnailUrl":"","datePublished":"2023-02-14T14:34:06+00:00","description":"CERT Intrinsec dealt with the newly discovered bypass of ProxyNotShell named OWASSRF and this article details its modus operandi","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/vice-society-spreads-its-own-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Vice Society spreads its own ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799","name":"Intrinsic","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","caption":"Intrinsec"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/ufhtbqccsz\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/223638","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=223638"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/223638\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=223638"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=223638"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=223638"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}