Threat Management, Malware, Ransomware

Researchers dissect open-source ransomware programs Bugware and Vortex

Researchers from Zscaler's ThreatLabZ division on Friday released an analysis report on two relatively new open-source ransomware programs, Bugware and Vortex, after tracking recent spam campaigns pushing the strains.

In addition to leveraging open-source code, both cryptors are also compiled in Microsoft Intermediate Language (MSIL) and packed with the Confuser packer, the cloud security company noted in a Dec. 1 blog post.

Discovered in October 2017, Bugware targets the Brazilian population, demanding a ransom payment in the form of Monero cryptocurrency. At the time of analysis, the ransomware note, written in Portuguese was asking for the equivalent of 1,000 Brazilian real, or just over U.S. $300 (based on Dec. 1 conversion rates).

Bugware was coded using Hidden Tear, an open-source ransomware trojan program that was first published on GitHub in 2015. Zscaler researchers found that the malicious payload was using an invalid security certificate that fraudulently purported to be from the company Gas Informatica LTDA.

The ransomware encrypts several paths, including %Desktop%, %Documents%, %Music%, %Pictures%, and %Videos%, and also searches for fixed, network, and removable drives to encrypt as well, while avoiding other whitelisted paths as well as files in directories containing certain strings, Zscaler explains.

Files are encrypted with an AES 256-bit algorithm, and then the AES key is further encrypted using RSA Public key. The malware then changes the desktop background to display the image of a bug, followed by the words “All Your files were encrypted!” (in Portuguese), repeated multiple times in successive lines. Below that: an email address where the attackers could be contacted.

Vortex, an older ransomware that was discovered last March, is written in Polish and uses AES-256 to encrypt image, video, audio and document files, as well as other key data, Zscaler reports. Its code, the blog post continues, is based entirely on AESxWin, a freeware encryption and decryption utility hosted on GitHub.

At the time of analysis, the ransom note demanded a payment of $100, setting a deadline of four days before the ransom doubled. The attackers offered to decrypt two files for free, and issued two email addresses at which they could be contacted. 

“Vortex also deletes all the shadow copy of restore point by running the following command: vssadmin.exe delete shadows /all /Quiet,” states the Zscaler blog post, authored by researchers Avinash Kumar, Amadeep Kumar, and Rajdeepsinh Dodia. “This ensures that the victim cannot recover their files by restoring the system to a preinfection stat.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.