November 30, 2023

A new ransomware called Vovalex is being distributed through pirated software that impersonates popular Windows utilities, such as CCleaner.

According to the D website,  Dlang is inspired by C++ but shares components from other languages.

“D is the culmination of decades of experience implementing compilers for many diverse languages, and attempting to construct large projects using those languages. D draws inspiration from those other languages and tempers it with experience and real world practicality,” states the D website.

The shared sample analyzed by BleepingComputer is distributed as a warez copy of the CCleaner Windows utility, as can be seen by the bundled NFO file below.

NFO file for a pirated copy of CCleaner

When executed, the ransomware will launch a legitimate CCleaner installer and copy itself to the random file name in the %Temp%folder.

CCleaner installer

CCleaner installer

The ransomware will begin to encrypt files on the drive and append the .vovalex extension to encrypted file’s names.

Vovalex encrypted files

When done, the ransomware will create a ransom note named README.VOVALEX.txt on the desktop that asks for 0.5 XMR (Monero) to retrieve a decryptor. This amount is equal to approximately $69.54 at current prices.

At this time, it is unknown if researchers can decrypt the ransomware for free. But not widely spread as of now

Leave a Reply

%d bloggers like this: