PolyVice
PolyVice is a custom-branded ransomware variant associated with Vice Society and attributed in the content to that ransomware ecosystem. It was observed appending the .ViceSociety extension to encrypted files and dropping ransom notes named "AllYFilesAE" in encrypted directories. Researchers assessed early samples as being in active development due to the presence of debugging messages, while related decryptor activity indicates a release version existed by July 13, 2022. The malware is described as a 64-bit Windows binary compiled with MinGW, with one reported sample SHA1 of c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac.
PolyVice uses a hybrid encryption design combining NTRUEncrypt and ChaCha20-Poly1305. It imports a hardcoded offline-generated NTRU public key using provider EES587EP1, generates a unique NTRU key pair on the victim system at runtime using provider EES401EP2, encrypts the runtime-generated private key with the hardcoded master public key, and stores it in a configuration blob. For file encryption, it generates a unique ChaCha20-Poly1305 key and nonce per file and encrypts those values with the victim-specific NTRU public key.
The ransomware includes multithreaded performance optimizations and uses CreateThread, WaitForMultipleObjects, CreateIoCompletionPort, GetQueuedCompletionStatus, and PostQueuedCompletionStatus to parallelize encryption. If executed without command-line arguments, it enumerates local drives, remote drives, and network shares and recursively encrypts files using FindFirstFile and FindNextFile. Files smaller than 5 MB are fully encrypted; files from 5 MB to 100 MB are partially encrypted in two 2.5 MB chunks; and files larger than 100 MB are partially encrypted in ten intermittent 2.5 MB chunks totaling 25 MB.
The content states that PolyVice shares significant code overlap with RedAlert, a Linux ransomware variant targeting VMware ESXi servers, and that the same Windows codebase was also used to build custom-branded payloads for Chily and SunnyDay. The main differences between these payloads were campaign-specific data such as file extension, ransom note name, master key, ransom note content, and wallpaper text. Based on these overlaps, the reporting assesses that an external specialist developer or developer group likely produced and sold custom-branded lockers to multiple threat groups rather than Vice Society exclusively developing its own ransomware.
PolyVice was also reportedly used beginning in May 2025 by the pro-Ukrainian group Bearlyfy, also known as Labubu, in a modified form during attacks against Russian companies. In that reporting, PolyVice is described as a ransomware family attributed to Vice Society. High-confidence indicators directly mentioned in the content include the .ViceSociety encrypted-file extension, the ransom note filename "AllYFilesAE," and the sample SHA1 c8e7ecbbe78a26bea813eeed6801a0ac9d1eacac.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The TTPs are nothing new. They include initial network access through compromised credentials, exploitation of known vulnerabilities (e.g., PrintNightmare)
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In a recent intrusion, we identified a ransomware deployment that appended the file extension .ViceSociety to all encrypted files in addition to dropping ransom notes with the file name “AllYFilesAE” in each encrypted directory. Our initial analysis suggested the ransomware, which we dubbed “PolyVice”, was in the early stages of development.
Beginning May 2025, Bearlyfy actors also utilized a modified version of PolyVice, a ransomware family attributed to Vice Society.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Discovery
2 techniques
Discovery
Collection
1 technique
Collection
Impact
1 technique
Impact
In a recent intrusion, we identified a ransomware deployment that appended the file extension .ViceSociety to all encrypted files... | Files smaller than 5MB are fully encrypted. Files with a size between 5MB and 100MB are partially encrypted... Files bigger than 100MB are partially encrypted...
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware family, used in modified form by Bearlyfy, and attributed in the article to Vice Society.
A slightly modified version of the PolyVice ransomware was used in some Bearlyfy attacks beginning in May 2025; it is described as part of the Vice Society RaaS program.
Custom-branded Windows ransomware used by Vice Society and apparently other groups. It uses a hybrid encryption scheme combining NTRUEncrypt and ChaCha20-Poly1305, supports multithreaded encryption, encrypts files fully or partially based on size, appends a footer containing decryption metadata, and appears to be part of a builder-based locker-for-sale ecosystem.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.