Researchers from Zscaler's ThreatLabZ division on Friday released an analysis report on two relatively new open-source ransomware programs, Bugware and Vortex, after tracking recent spam campaigns pushing the strains.
In addition to leveraging open-source code, both cryptors are also compiled in Microsoft Intermediate Language (MSIL) and packed with the Confuser packer, the cloud security company noted in a 1 December blog post.
Discovered in October 2017, Bugware targets the Brazilian population, demanding a ransom payment in the form of Monero cryptocurrency. At the time of analysis, the ransomware note, written in Portuguese was asking for the equivalent of 1,000 Brazilian real (£227).
Bugware was coded using Hidden Tear, an open-source ransomware trojan program that was first published on GitHub in 2015. Zscaler researchers found that the malicious payload was using an invalid security certificate that fraudulently purported to be from the company Gas Informatica LTDA.
The ransomware encrypts several paths, including %Desktop%, %Documents%, %Music%, %Pictures%, and %Videos%, and also searches for fixed, network, and removable drives to encrypt as well, while avoiding other whitelisted paths as well as files in directories containing certain strings, Zscaler explains.
Files are encrypted with an AES 256-bit algorithm, and then the AES key is further encrypted using RSA Public key. The malware then changes the desktop background to display the image of a bug, followed by the words “All Your files were encrypted!” (in Portuguese), repeated multiple times in successive lines. Below that: an email address where the attackers could be contacted.
Vortex, an older ransomware that was discovered last March, is written in Polish and uses AES-256 to encrypt image, video, audio and document files, as well as other key data, Zscaler reports. Its code, the blog post continues, is based entirely on AESxWin, a freeware encryption and decryption utility hosted on GitHub.
At the time of analysis, the ransom note demanded a payment of US$ 100 (£75), setting a deadline of four days before the ransom doubled. The attackers offered to decrypt two files for free, and issued two email addresses at which they could be contacted.
“Vortex also deletes all the shadow copy of restore point by running the following command: vssadmin.exe delete shadows /all /Quiet,” states the Zscaler blog post, authored by researchers Avinash Kumar, Amadeep Kumar, and Rajdeepsinh Dodia. “This ensures that the victim cannot recover their files by restoring the system to a preinfection stat.”