Do the twist: Vortex ransomware spins and scrambles victim data

Earlier this year, we witnessed a new ransomware variant, Vortex, evolve from a previous strain, Polski. The most recent strain was developed using a freeware encryption and decryption tool called AESxWin, which was modified to give Vortex its malicious nature. Both primarily target Polish users.

Vortex has some very unorthodox characteristics, so let’s take a closer look.


Vortex is not spread through the usual spam email campaigns, instead its authors prefer to use RAT (Remote Access Trojans) as the delivery tool. The specific agent downloaders were JS/VJworm (JavaScript) variants.


Figure 1 - Delivery representation


Static analysis:

MD5: 91A07550E5CA2C977F50406F07126AC8


Figure 1 Version information

The version information lists AESxWin as both the product name and original file name. AESxWin is a free tool available from github and is used for encrypting and decrypting files. The image below shows that even the file’s icon is the same:


Figure 2 - File Icons

Both files are compiled with dotnet compiler and the target framework is .net 4.5.  

Code analysis (comparing AESxWin file and Vortex ransomware file)

The below image illustrates some of the differences between the legitimate AESxWin file and the Vortex ransomware – the upper portion contains the legitimate file, and the ransomware lies in the lower. 


Figure 3 - Comparison

The malicious, modified version contains extra routines like AESxWinAuto, Form1, pro and Reg. Examining these routines illustrates the behaviours of the ransomware variant:


 public class AESxWinAuto : Form
 public static string[] image_ext = new string[]
 public static string[] video_ext = new string[]
 public static string[] audio_ext = new string[]
 public static string[] document_ext = new string[]
 public static string[] compressed_ext = new string[]
 public static string[] code_ext = new string[

Each of these strings can be expanded, showing the targeted file format. For image_ext, we found the following extensions:

.pdb,.pif,.qed,.qcow,.qcow2,.rvt,.st7,.stm,.vbox,.vdi,.vhd,.vhdx,.vmdk,.vmsd,.vmx,.vmxf, .3fr,

For video_ext, we found the following target extensions for video files:


For audio_ext, we found the following target extensions for audio files:


For document_ext, we found the following target extensions for document files:


For compressed_ext, we found the following target extensions for compressed folders:


For code_ext we found the following target extensions for scripts and web page files:


We then found a startup entry registry function:

 public bool IsStartup
 RegistryKey registryKey =  Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",  true);
 return registryKey.GetValue(Assembly.GetExecutingAssembly().GetName().Name) != null;
 Reg.RegisterInStartup(value, Application.ExecutablePath);

This code includes an autostart entry to give the malware persistence. The ‘Get’ function notes the registry key name and looks for its presence. The ‘Set’ function appends another class, ‘Reg’, which registers the malware file location in the value entry. We then checked the ‘Reg’ class: 

 public static string Read(string KeyName)
 public static bool Write(string KeyName, object Value)
 public static void RegisterInStartup(bool isChecked, string executablePath)

The above three strings can be expanded, but we’ll just focus on the important points.

String Read(string KeyName) looks for the currentuser key in the registry and further seeks the subkey "SOFTWARE\\AESxWin". Bool Write (string KeyName, object Value), creates the subkey "SOFTWARE\\AESxWin", if the String Read function fails to find its subkey.

RegisterInStartup does the autostart work by adding the malware’s physical location to the value of the ‘Run’ registry entry. This is the Reg class’ primary function.

Other interesting functions

There are other interesting functions and codes to be examined. The following code ignores listed paths (locations) in the system. 

 private void InitIgnoredPaths()
 this.IgnoredPaths = new List();
 this.IgnoredPaths.Add("C:\\Program Files\\Common Files");

The paths Vortex ignores are Application Data and Common Files. It is clear this variant wants to focus on specific locations and ignores those without important documents. 

 DriveInfo[] drives = FilesHelper.GetDrives();
 Guid computerId = this.ComputerId;
 DriveInfo[] array = drives;
 for (int i = 0; i < array.Length; i++)
    DriveInfo driveInfo = array[i];

This code looks for documents, pictures, videos and recent files – all of which are important locations for any user. 

 bool enabled = this.btnStartAutoEncrypt.Enabled;

Auto encrypt is then enabled, started by the button: 

 btnStartAutoEncrypt_Click(object sender, EventArgs e)

After the encryption, the ransomware appends the “.ZABLOKOWANE" extension at the end of all encrypted files. A log of these encrypted files is stored in a .log file in the folder:


The following code refers to the logging details and the above-mentioned location.

AESxWinAuto.LogPath = "C:\\ProgramData\\Keyboard";

bool flag = !Directory.Exists(AESxWinAuto.LogPath);

if (flag)




In the log file, we found the string format:     

 Log.WriteLog(AESxWinAuto.LogPath, string.Format("Zaszyfrowano: {0} | {1} Hasło= {2}", Path.GetFileName(text), text, (currentPassword.Length > 3) ?  currentPassword.Substring(0, 4) : currentPassword));
 string directoryName = Path.GetDirectoryName(text);
 bool flag4 = !StatusFile.StatusFileExist(directoryName, "### - ODZYSKAJ SWOJE  DANE - ###.TXT");

Command and Control


C2: https://taniepilapl/mij/

Vortex gathers the victim’s IP address with the public api: "”

 @6002b94: ldloc.0 
 @6002b95: ldstr ;Aby Odzyska Pliki Skontaktuj Si Z Nami Pod Adresem: Lub 
 @6002b96: callvirt 0A00013A ;System.Text.StringBuilder::AppendLine

 We found the email address information in the above code. Password generation looks as though it’s done with the help of an api – see the following code:

 @6002a22: stsfld System.Int32 AESxWin.Helpers.PasswordAPICurrentIndex 
 @6002a23: ldc.i4.2 
 @6002a24: newarr System.Uri 
 @6002a25: dup 
 @6002a26: ldc.i4.0 
 @6002a27: ldstr ; 

The site – – is used for a password generating api, similar to how api.ipify is used to gather the infected user’s IP address.

 @6002b2c: ldc.i4.1 
 @6002b2d: ldstr ;https://taniepilapl/mij/ 
 @6002b2e: stelem.ref 
 @6002b2f: stsfld System.String[] AESxWin.Helpers.SendAPIUrls

The above shows command and control details inside the code.

IOC details



Email address:

File name:

The file name ‘AESxWin.exe’ is in a grey area in this case, because of the freeware encryption tool.



Run registry entry with value as AESxWin and physical location of the target file.


PDB: C:\c1\AESxWin-master\AESxWin-master\AESxWin\obj\Debug\AESxWin.pdb


While this ransomware variant was clearly written with only Polish victims in mind, it goes to show how clever malware authors can be. Not only does Vortex use unorthodox propagation methods, it also piggy backs off the hard work of a legitimate software developer. 

Currently this ransomware will not infect Windows XP users, because it requires .Net framework 4.5 or higher to run, similar to the freeware tool. Later Windows versions with .Net framework 4.5 can allow the ransomware to execute and infect the system. 


On 2017-08-23

Popular Posts

Privacy Statement | Terms of Use