Privacy Ninja

Vovalex Is Likely The First Ransomware Written In D

Vovalex Is Likely The First Ransomware Written In D

A new ransomware called Vovalex is being distributed through fake pirated software that impersonates popular Windows utilities, such as CCleaner.

When it comes down to it, all ransomware infections boil down to the same function – encrypt a device’s files and then drop a ransom note demanding payment in some form.

While Vovalex is no different, what stands out to Advanced Intel’s Vitali Kremez and MalwareHunterTeam, who found the ransomware, is that it may be the first ransomware written in D.

According to the D website,  Dlang is inspired by C++ but shares components from other languages.

Also Read: Advisory Guidelines on Key Concepts in the PDPA: 23 Chapters

“D is the culmination of decades of experience implementing compilers for many diverse languages, and attempting to construct large projects using those languages. D draws inspiration from those other languages (most especially C++) and tempers it with experience and real world practicality,” states the D website.

As malware developers do not commonly use Dlang, Kremez believes that the attackers are using security software to bypass detections.

Vovalex is distributed as pirated software

Vovalex was first discovered by MalwareHunterTeam, who shared a sample [VirusTotal] with BleepingComputer so we can take a look.

The shared sample analyzed by BleepingComputer is distributed as a warez copy of the CCleaner Windows utility, as can be seen by the bundled NFO file below.

NFO file for a pirated copy of CCleaner
NFO file for a pirated copy of CCleaner

When executed, the ransomware will launch a legitimate CCleaner installer and copy itself to the random file name in the %Temp%folder.

CCleaner installer
CCleaner installer

The ransomware will begin to encrypt files on the drive and append the .vovalex extension to encrypted file’s names.

Vovalex encrypted files
Vovalex encrypted files

When done, the ransomware will create a ransom note named README.VOVALEX.txt on the desktop that asks for 0.5 XMR (Monero) to retrieve a decryptor. This amount is equal to approximately $69.54 at current prices.

Vovalex ransom note
Vovalex ransom note

At this time, it is unknown if researchers can decrypt the ransomware for free.

Also Read: Letter of Consent MOM: Getting the Details Right

Thankfully, Vovalex is not widely distributed at this time. If the threat actors partner with fake crack sites and adware bundles, similar to how STOP ransomware is distributed, then we may have a bigger problem on our hands.


Leave a Reply

Your email address will not be published. Required fields are marked *


Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.

Powered by WhatsApp Chat

× How can we help you?