Zscaler security experts warn that two recently found .NET-based ransomware families are encrypting users’ files by using open source code.
The malware families are called Vortex and BUGWARE and they have been noticed in live attacks carried out via spam emails containing malicious URLs.
Vortex and BUGWARE are both compiled in Microsoft Intermediate Language (MSIL) and have been packed with the so called ‘Confuser’ packer.
According to Zscaler’s analysis, Vortex is written in Polish and it uses AES-256 cipher to encrypt image, audio, video, document, and other potentially important data files on the victim’s computer.
Similarly to the other ransomware variants, Vortex drops a ransom note as soon as it has completed the encryption process, informing the victim on how they can restore their data and how to send the ransom payment.
The ransomware let users decrypt two of their files for free and demands a $100 ransom, which probably increases to $200 in four days. The malware victims are asked to contact the hackers via the Hc9@2.pl or Hc9@goat.si email addresses.
Being installed onto the system, the Vortex ransomware tries to achieve persistence through creating a registry entry, as well as a registry key named “AESxWin.” Also, the malware was noticed to delete shadow copies preventing users from restoring their data without paying the ransom.
During the malware’s command and control (C&C) communication analysis, the security experts spotted the malware sending system information and requesting a password API used for the encryption and decryption key.
According to Zscaler, the Vortex ransomware is based on AESxWin – a freeware encryption and decryption utility hosted on GitHub and developed by the Egyptian developer Eslam Hamouda. For that reason, the encrypted files can be decrypted using AESxWin if the password used for encryption is known.
The BUGWARE ransomware is based on the open source Hidden Tear code, which has been exploited to create other ransomware families some time ago.
BUGWARE also uses an invalid certificate pretending to be for GAS INFORMATICA LTDA, asking its victims to pay the equivalent of a thousand Brazilian reals in Monero.
The ransomware makes a list of paths to encrypt and stores it in a file named Criptografia.pathstoencrypt and searches for all fixed network, and removable drives, adding all those paths to the list.
The experts also noticed that BUGWARE was generating the encryption key and using the AES 256-bit algorithm to encrypt users’ files, as well as renaming the encrypted files. The AES key is encrypted too, using a RSA public key, and the base64 encoded key is saved in the registry.
In order to achieve persistence, the BUGWARE ransomware creates a run key which ensures it is executed each time the user logs into the computer. In case the malware detects any removable drives, it drops a copy of itself on them, named “fatura-vencida.pdf.scr.”
Additionally, BUGWARE changes the victim’s desktop background using image files downloaded from “i[.]imgur.com/NpKQ3KZ.jpg.”
