Threat Database Ransomware Vortex Ransomware

Vortex Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 4
First Seen: March 10, 2017
OS(es) Affected: Windows

The Vortex Ransomware infection is designed to target computer users in Poland. The Vortex Ransomware was first observed on March 9, 2017, and carries out a typical ransomware attack on infected computers. The Vortex Ransomware has been linked to two executable files on infected computers, which may be named 'AESxWin.exe' or 'polish.exe.' The most common way of distributing the Vortex Ransomware is through the use of corrupted email attachments that may be delivered using spam email messages. The Vortex Ransomware is installed on victim's computers by tricking them into opening a corrupted text document that uses macros to execute corrupted code on the infected computer. These files may be associated with social engineering techniques used to trick computer users into opening the file attachment. Opening the file reveals a blank page with a yellow message that reads 'Please, enable macro to load the document properly.' Of course, enabling macros (if they are not already enabled), allows the Vortex Ransomware to be installed and carry out its attack.

This Vortex will Prevent You from Accessing Your Files

The Vortex Ransomware scans the victim's computer and determines which files will be encrypted. The Vortex Ransomware uses the AES 256 encryption to make the victim's files inaccessible completely. The Vortex Ransomware connects to a Web API to generate a random password that is 40 characters long for every infected computer. The Vortex Ransomware will encrypt the following file types on the infected computer:


The files affected by the Vortex Ransomware encryption routine will be marked with the addition of the extension '.aes' to the end of the files' names. The Vortex Ransomware will drop a file named 'ODZSZYFRUJ-DANE.txt,' which translated into Polish means 'DECRYPT-DATA.txt.' This file, located on the victim's Desktop, asks the victim to pay $199 USD using BitCoins. The message is written in Polish, and can be translated as follows:

'the Vortex Ransomware
You can not find the necessary files on your hard drive? The contents of your files do not open?
This is a result of the program that encrypted the most of your data using strong algorithm aes-256 a minute ago. The uniformed service for disguising data transmitted electronically.
The only way to recover your files is buying a decryption program from us, with a single unique key generated for you!
Once you choose to recover your data, please contact us at e-mail: or
2 Files Decrypted for free to prove that we are able to do so, for the rest, unfortunately, you have to pay!
Price for decryption of all files: $199
Warning! Do not waste your time, time is money for 4 days price will increase by 100%!

Dealing with the Vortex Ransomware

Although the Vortex Ransomware is targeting Polish-speaking computer users clearly, it is not unlikely that computer users in other parts of the world will also be targeted by this attack. Malware analysts have the same advice for dealing with the Vortex Ransomware as with any other of the countless encryption ransomware Trojans that are active currently: computer users should refrain from following the instructions in the ransom note or paying the ransom amount. Instead, it will be necessary to recover the affected files from a backup after removing the Vortex Ransomware infection itself with the help of a reliable security program that is fully up-to-date.

SpyHunter Detects & Remove Vortex Ransomware

File System Details

Vortex Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe ac6a5927cc9ff8cfe821e73b0fc26cae 0
2. file.exe f13428efe5bea3f2f413ded0940ff214 0
3. file.exe bf5eee6431e218b768c552676684b60f 0
4. file.exe 642abb4ece3b3f21a6311b6af0dc43dc 0

Related Posts


Most Viewed