A look at two ransomware strains using open source code

Introduction Ransomware has undoubtedly become one of the most prevelant and most prolific malware families, earning large profits for cybercriminals. There have been several dozen new ransomware strains and attacks seen in 2017, including the infamous global ransomware outbreaks of WannaCry, Petya, and BadRabbit that impacted millons of computers world-wide. In this blog, we explore two ransomware strains from 2017 - Vortex and BUGWARE, both of which are compiled in Microsoft Intermediate Language (MSIL) and packed with the 'Confuser' packer. Interestingly, both ransomware strains are using open source code for encrypting user files. ThreatlabZ, the research division of Zscaler, has been tracking these strains and is seeing payloads actively being pushed to the users via spam campaigns containing malicious URLs.  Case #1 - Vortex Ransomware Vortex, written in Polish, employs the AES-256 cipher to encrypt victims' image, video, audio, document, and other potentially important data files. The ransom note informs victims about the restoration of files and details how to send the ransom. The ransom note has the title “##@@ INFO O PLIKACH.txt.”                                                                            ...
Read more