March 22, 2017
A malware author that loves Polish hip hop music appears to be behind the Polski, Vortex, and Flotera (spelled Ŧl๏tєгค) ransomware families that have made a small number of victims between January and March this year.
All three ransomware families are related, and one evolved from the other. First on the scene was the Polski ransomware, which was first detected in live infections in late January - early February, albeit it took some time before a sample ended up in the hands of security researchers.
Polski HTML ransom note (Michael Gilespie)
Because Polski used a Sigaint email address to handle payments, and because the Sigaint email service went down in mid-February, the crook's operation was eventually hindered and they were bound to issue an update.
Vortex takes Polski's place
This update came in early March when GData security researcher Karsten Hahn came across Polski's next version, this time rebranded as the Vortex ransomware.
Vortex used the same ransom note but replaced the Sigaint email address. The only visible change was that Vortex dropped the encryption price from $249 to $199.
Polski's other features and mode of operation remained the same, according to security experts from Polish tech news site Zaufan a Trzecia Strona (ZTS). An English version of the original article is also available on the publication's English site, Bad Cyber.
According to researchers, the entire ransomware was based on AESxWin, a freeware encryption and decryption utility hosted on GitHub, and created by Egyptian software developer Eslam Hamouda.
AESxWin legitimate app (Eslam Hamouda)
The Polski malware author had made modifications to the AESxWin source code to account for the ransomware behavior.
The behavior that stood out the most was that when users run the ransomware, it showed a popup asking if it should run at startup.
Pre-run popup (ZTS)
Pushing the Stop button here not only prevents the addition of a new Windows Registry entry that gives the ransomware boot persistence, but also stops the encryption process from starting altogether.
Ransomware installed via vjw0rm RAT
While you might be led to believe this is an ineptitude on the part of the ransomware's author, it is not such a glaring flaw.
ZTS researchers claim the ransomware was not spread via email spam campaigns. Instead, they say the ransomware was dropped on infected computers after users had previously fallen victims to the vjw0rm, a remote access trojan (RAT) [1, 2].
Researchers believe crooks are using the RAT to access a victim's computer and then install Polski/Vortex/Flotera by hand. This means the popup's presence is irrelevant, as crooks would ignore it. This explains why they didn't bother removing it from the modified AESxWin source code.
Ransomware could be decrypted in certain circumstances
Following this popup, the Polski/Vortex/Flotera encryption process starts. In its unaltered form, AESxWin works by taking an AES-256 key and encrypting/decrypting the user's files.
In order to start the encryption process, the crook needs this initial encryption key. Low-level ransomware families sometimes come with a hard-coded key. Researchers usually find this encryption key and create free decrypters.
Not wanting to make this mistake, but also not trusting to generate a key on the local computer, the crook makes an HTTP request to a public API and asks for a 40-character-long random alpha-numeric string, which it uses as the encryption key. The API's URL is:
Similarly, the ransomware makes another request to another public API that returns the user's IP address.
All this information is packed neatly inside an HTTP GET request and sent to the crook's C&C server.
All data is sent in cleartext, with no encoding, and if the victim is using an application that logs network traffic, on the machine or on the network, he can find and extract the decryption key later on, and avoid paying the ransom demand.
Because the ransomware author didn't bother removing all of AESxWin's features, there's even a right-click menu option that launches the decryption process.
The actual encryption process targets only files in a selected list of folders. The folder list is:
Theoretically, the ransomware should target the following file types. According to ZTS researchers, in practice, the ransomware only encrypts image files due to an unknown bug.
Once the encryption process ends, the ransomware appends the .aes extension at the end of all encrypted files. A log of all encrypted files, including the first four characters of the encryption key is stored in a .log file in the folder:
Vortex ransom note (Karsten Hahn)
Four days later after Vortex was found on Virus Total, MalwareHunter discovered Flotera, another rebrand, but mostly identical with Vortex, except its name and the fact it used a 120-characters-long encryption key, instead of 40, but generated through the same public API.
According to data from ID-Ransomware, all three variants made a few dozens victims, all from Poland.
Fan of Polish hip hop behind ransomware?
But things didn't stop here. As ransomware binaries piled up and researchers had more evidence to analyze, ZTS started to gather clues on the ransomware's author, who they believe is a person that goes online by the nickname of Armaged0n. ZTS researchers say they found the names of various Polish hip hop songs, artists and a recording studio in several of the ransomware's strings.
While attribution is never a 100% affair, clues in the ransomware's source code reveal that its author is a big fan of the Polish rap scene, similar to the music preferences of an amateur malware author active on infamous Hack Forums. But, to be fair, this attribution is based on shaky evidence, and should not be taken at face value, as more than one malware author is allowed to love Polish hip hop. Nevertheless, this could be the starting point of a law enforcement investigation.
Araged0n Hack Forum profile (ZTS)
Polski contact methods:
Vortex contact methods:
Vortex SHA256 hash:
Flotera SHA256 hash:
Polski ransom note:
Vortex ransom note (similar to Ŧl๏tєгค гคภร๏๓ฬคгє):