Threat Database Ransomware Vovalex Ransomware

Vovalex Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 75
First Seen: July 24, 2009
Last Seen: February 3, 2021
OS(es) Affected: Windows

The Vovalex Ransomware is a file-locking Trojan that blocks the user's media, such as pictures and documents, by encrypting each file. The Vovalex Ransomware demands a Monero-based ransom and infects users currently by bundling with unofficial downloads of in-demand software, such as Registry cleaners. Users should avoid unofficial download resources like torrents, scan new files for threats, back up their work, and let anti-malware programs delete the Vovalex Ransomware on detection.

Newly-Unleashed Trojans Taking Advantage of Software Pirates

Downloading a premium version of a program might seem too much of a bargain to be true – and, in some cases, that's more than just second-guessing oneself. The Vovalex Ransomware campaign, a newly-released threat similar to the STOP Ransomware or the Crysis Ransomware (among others), is taking advantage of software pirates for finding easy-to-plunder victims. The modus operandi after getting onto the computer is standard enough, though, and consists of not much more than threatening encryption attacks and a ransom note.

The Vovalex Ransomware is a Windows threat that bundles itself with other downloads of in-demand but ilicit products, such as a cracked version of the Registry-cleaning tool, CCleaner. As part of its effective disguise, the installer does install the desired program, which provides the perfect distraction. Simultaneously, the Vovalex Ransomware starts encrypting and locking the user's pictures, documents, spreadsheets and other media.

The Vovalex Ransomware's payload's final touches include 'vovalex' extensions on the hostage-taken files and a text ransom note in both English and Russian. The threat actor asks for what malware experts point out as a notably-small ransom of seventy USD in Monero (instead of the more-popular Bitcoin cryptocurrency). With these facts, it's self-evident that the Vovalex Ransomware's developer plans on making money by compromising as many random victims as possible, emphasizing easy targets like home users and casual software pirates.

While viable potentially, the strategy contrasts with the corporate and government network-targeting Trojan families and those that lock weakly-protected website servers.

Programming Innovation in Otherwise-Ignorable Trojan Projects

Users considering the Vovalex Ransomware's payload and circulatory tactics may question the importance of the Trojan's campaign, comparable to a less-popular version of STOP Ransomware's Ransomware-as-a-Service. However, the Vovalex Ransomware samples under analysis confirm that the program's language is highly-unusual: D or Dlang. This language takes significant inspiration from C++, but this campaign is the first time it's put to work in a Trojan campaign, as far as malware researchers can determine.

The Vovalex Ransomware's language choice is a likely attempt at evading security solutions' threat-detecting models. Of course, Windows users can protect themselves by avoiding pirated software resources, which comprise a non-trivial segment of the drive-by-download tactics for file-locking Trojans worldwide. They also should scan new downloads for possible threats, be cautious about activating features like macros or JavaScript, and use strong passwords that stop brute-forcing attackers in the early stages.

Modern anti-malware services should delete the Vovalex Ransomware from infected systems and block infection attempts, regardless of the above facts. Malware experts also continue emphasizing backups on other systems or storage drives as essential for thwarting the Vovalex Ransomware's file-locking sabotage.

The Vovalex Ransomware seems relatively contained, for the moment, but could go global quickly and target users with all-too-believable installer shell games. When one download option results in widespread loss of precious files, there's little justifying software piracy, no matter the expense of the product.


15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Symantec W32.Rontokbro.B@mm
Sunbelt Email-Worm.Win32.Brontok.q
Sophos W32/Brontok-B
Prevx1 High Risk Worm
NOD32 Win32/Brontok.A
Microsoft Worm:Win32/Brontok.FFD
McAfee-GW-Edition Worm.VB.ay.2
McAfee W32/Rontokbro.b@MM
Ikarus Email-Worm.Win32.Brontok
Fortinet W32/Brontok.A@mm
F-Secure Email-Worm.Win32.Brontok.a
eTrust-Vet Win32/Robknot.DG
eSafe Win32.Rontokbro.b
DrWeb BackDoor.Generic.1138


Most Viewed