2 Ransomware Attacks Using Open Source Code

Monday, December 4, 2017 @ 06:12 PM gHale


Ransomware has become one of the most popular and most prolific malware families, earning quick, large profits for cybercriminals.

Along those lines, two new .NET-based ransomware families are using open source repositories to encrypt users’ files, researchers said.

RELATED STORIES
Ransomware Hits Shipbroker; Refused to Pay
Attackers Hit Transit System in CA, Demand Ransom
SF Metro Victim of Ransomware
API: Finding Success from a Failure

The two ransomware products, Vortex and BUGWARE, end up distributed via spam emails containing malicious URLs, said researchers at Zscaler.

Both of the ransomware families end up put together in Microsoft Intermediate Language (MSIL) and use the ‘Confuser’ packer.

Both ransomware strains are using open source code for encrypting user files, researchers said in a blog post.

The Vortex ransomware is in Polish and makes use of the AES-256 cipher to encrypt image, video, audio, document, and other data files, researchers said.

Once infected, the malware drops a ransom note as soon as it completes the encryption process, informing the victim on how they can restore their data and how to send the ransom money.

The malware allows users to decrypt two of their files for free and demands a $100 ransom, which supposedly increases to $200 in four days.

BUGWARE uses the open source Hidden Tear code.

It also uses an invalid certificate pretending to be for GAS INFORMATICA LTDA and asks victims to pay the equivalent of a thousand Brazilian reals in Monero.

The malware creates a list of paths to encrypt and stores it in a file called

Criptografia.pathstoencrypt. It also searches for all fixed, network, and removable drives and adds those paths to the list.

BUGWARE generated the encryption key and using the AES 256-bit algorithm to encrypt users’ files, as well as renaming the encrypted files, researchers said.



Leave a Reply

You must be logged in to post a comment.