March 22, 2017

A malware author that loves Polish hip hop music appears to be behind the Polski, Vortex, and Flotera (spelled Ŧl๏tєгค) ransomware families that have made a small number of victims between January and March this year.

All three ransomware families are related, and one evolved from the other. First on the scene was the Polski ransomware, which was first detected in live infections in late January - early February, albeit it took some time before a sample ended up in the hands of security researchers.

Polski ransomware ransom note                                                                      Polski HTML ransom note (Michael Gilespie)

Because Polski used a Sigaint email address to handle payments, and because the Sigaint email service went down in mid-February, the crook's operation was eventually hindered and they were bound to issue an update.

Vortex takes Polski's place

This update came in early March when GData security researcher Karsten Hahn came across Polski's next version, this time rebranded as the Vortex ransomware.

Vortex used the same ransom note but replaced the Sigaint email address. The only visible change was that Vortex dropped the encryption price from $249 to $199.

Polski's other features and mode of operation remained the same, according to security experts from Polish tech news site Zaufan a Trzecia Strona (ZTS). An English version of the original article is also available on the publication's English site, Bad Cyber.

According to researchers, the entire ransomware was based on AESxWin, a freeware encryption and decryption utility hosted on GitHub, and created by Egyptian software developer Eslam Hamouda.

AESxWin                                                                       AESxWin legitimate app (Eslam Hamouda)

The Polski malware author had made modifications to the AESxWin source code to account for the ransomware behavior.

The behavior that stood out the most was that when users run the ransomware, it showed a popup asking if it should run at startup.

AESxWin popup                                                                                             Pre-run popup (ZTS)

Pushing the Stop button here not only prevents the addition of a new Windows Registry entry that gives the ransomware boot persistence, but also stops the encryption process from starting altogether.

Ransomware installed via vjw0rm RAT

While you might be led to believe this is an ineptitude on the part of the ransomware's author, it is not such a glaring flaw.

ZTS researchers claim the ransomware was not spread via email spam campaigns. Instead, they say the ransomware was dropped on infected computers after users had previously fallen victims to the vjw0rm, a remote access trojan (RAT) [1, 2].

Researchers believe crooks are using the RAT to access a victim's computer and then install Polski/Vortex/Flotera by hand. This means the popup's presence is irrelevant, as crooks would ignore it. This explains why they didn't bother removing it from the modified AESxWin source code.

Ransomware could be decrypted in certain circumstances

Following this popup, the Polski/Vortex/Flotera encryption process starts. In its unaltered form, AESxWin works by taking an AES-256 key and encrypting/decrypting the user's files.

In order to start the encryption process, the crook needs this initial encryption key. Low-level ransomware families sometimes come with a hard-coded key. Researchers usually find this encryption key and create free decrypters.

Not wanting to make this mistake, but also not trusting to generate a key on the local computer, the crook makes an HTTP request to a public API and asks for a 40-character-long random alpha-numeric string, which it uses as the encryption key. The API's URL is:
ransom14Similarly, the ransomware makes another request to another public API that returns the user's IP address.
ransom15All this information is packed neatly inside an HTTP GET request and sent to the crook's C&C server.

All data is sent in cleartext, with no encoding, and if the victim is using an application that logs network traffic, on the machine or on the network, he can find and extract the decryption key later on, and avoid paying the ransom demand.

Because the ransomware author didn't bother removing all of AESxWin's features, there's even a right-click menu option that launches the decryption process.
AESxWin right click menuThe actual encryption process targets only files in a selected list of folders. The folder list is:
Theoretically, the ransomware should target the following file types. According to ZTS researchers, in practice, the ransomware only encrypts image files due to an unknown bug.
ransom18Once the encryption process ends, the ransomware appends the .aes extension at the end of all encrypted files. A log of all encrypted files, including the first four characters of the encryption key is stored in a .log file in the folder:
Vortex ransomware ransom note                                                                       Vortex ransom note (Karsten Hahn)

Four days later after Vortex was found on Virus Total, MalwareHunter discovered Flotera, another rebrand, but mostly identical with Vortex, except its name and the fact it used a 120-characters-long encryption key, instead of 40, but generated through the same public API.

According to data from ID-Ransomware, all three variants made a few dozens victims, all from Poland.

Fan of Polish hip   hop behind ransomware?

But things didn't stop here. As ransomware binaries piled up and researchers had more evidence to analyze, ZTS started to gather clues on the ransomware's author, who they believe is a person that goes online by the nickname of Armaged0n. ZTS researchers say they found the names of various Polish hip hop songs, artists and a recording studio in several of the ransomware's strings.

While attribution is never a 100% affair, clues in the ransomware's source code reveal that its author is a big fan of the Polish rap scene, similar to the music preferences of an amateur malware author active on infamous Hack Forums. But, to be fair, this attribution is based on shaky evidence, and should not be taken at face value, as more than one malware author is allowed to love Polish hip hop. Nevertheless, this could be the starting point of a law enforcement investigation.
HackForums post                                                            Araged0n Hack Forum profile (ZTS)

Polski contact methods:

ransom20Vortex contact methods:

ransom21Vortex SHA256 hash:

ransom22Flotera SHA256 hash:


Registry key:

Network comms:

Polski ransom note:

Vortex ransom note (similar to Ŧl๏tєгค гคภร๏๓ฬคгє):

News Courtesy :