Vovalex is the first ransomware written in Dlang

A new family of ransomware called Vovalex will spread through pirated software disguised as popular Windows utilities, such as CCleaner.

Brendan Smith

IT Security Expert

It is better to prevent, than repair and repent!

When we talk about the intrusion of unfamiliar programs into your computer's work, the proverb "Forewarned is forearmed" describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.

DOWNLOAD NOW

Gridinsoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | 10% Off Coupon

The Vovalex ransomware has a special feature that distinguishes it from other malware of this class. In terms of functionality and operating principle, Vovalex is no different from other ransomware: it encrypts the victim’s files and then leaves her with a ransom note. However, researcher Vitaly Kremets, who discovered new ransomware, revealed an interesting feature.

According to the expert, Vovalex may be the first ransomware written in the programming language D. According to the description on the official website, the creators of D (or Dlang) were inspired by C ++. However, D is also known to borrow a number of components from other languages. As a rule, cybercriminals do not use Dlang, but in this case, as Vitaly Kremets suggested, the attackers are most likely trying to bypass detection by antivirus programs.

2021-01-29: 🆕🔥#Vovalex #Ransomware … in #Dlang or 'D'|x64 ~32mb Size

Probably First Documented Ransomware Written in 'D'
Dlang Section Headers with "dmd" Compiler
1⃣._deh
2⃣.dp
3⃣.minfo
4⃣.tp

XMR Monero Extortion |🤔D Likely Used to Bypass AV Detection
h/t @malwrhunterteam pic.twitter.com/XBjpsrbMLS

— Vitali Kremez (@VK_Intel) January 29, 2021

The MalwareHunterTeam team was the first to stumble upon Vovalex and posted a sample of the Vovalex ransomware on VirusTotal. The guys from BleepingComputer ¹ analyzed the sample and came to the conclusion that the ransomware is distributed as an illegal copy of the CCleaner utility for Windows systems. During the startup process, Vovalex opens a legitimate copy of the CCleaner installer and places its copy with an arbitrary file name in the %Temp% directory.

Fake CCleaner Installer

After that, the malware starts encrypting files on the victim’s computer by adding the .vovalex extension to them. The last step is to copy a note with the requirements to the desktop – README.VOVALEX.txt. Attackers ask for 0.5 XMR (Monero cryptocurrency) for a decoder. In dollars, this amount is approximately $69.54.

Here is a summary for the Vovalex:

1. Vovalex is likely the first ransomware written in D: bleepingcomputer.com

Article

Vovalex Ransomware

Description

Vovalex ransomware written in the programming language Dlang. It encrypting files by adding the .vovalex extension.

Author

Brendan Smith

Copyright

HowToFix.Guide

 

German Japanese Spanish Portuguese (Brazil) French Turkish Chinese (Traditional) Korean Indonesian