A Polish criminal has been caught - CERT Polska publishes a decryption tool after a Vortex ransomware attack

Tomasz T., a Pole with a "multiple personality", hiding under the pseudonyms Armaged0n, Thomas, the.xAx, 2Pac Team and others, was finally caught. The Polish police stopped by March 14, 2018, the day after Tomasz T.'s arrival from Belgium to Poland. Since 2011, due to the malware developed by Tomasz T., thousands of Polish computer users have been infected. The activities of the Polish criminal included, among others extortion of ransom for regaining access to encrypted files (a decryption tool has already been developed) and installing banking Trojan users on computers. The financial losses of consumers and businesses are difficult to estimate.

For over 6 years, Tomasz T. impersonated many well-known companies. Using very simple but effective social engineering, he "encouraged" spam recipients to open an attachment or download a file from a remote server. Among the used types of malware were exploits, Trojans and other types of malware.

Adam from the portal Trusted Third Party developed an infographic showing the names of companies whose image was used in fraudulent e-mails:

Companies that have been the victims of image theft

The decryption tool after the Vortex, Floter and Polish Ransomware ransomware attacks

Better late than never. The victims of vortex / Floter / Polish Ransomware have a chance to recover the data.

CERT Polska operating within the NASK structures in cooperation with the Police from the Bureau for Combating Cybercrime of the Police Headquarters and the District Prosecutor's Office in Warsaw, which effectively stopped an actor using Vortex ransomware in his spam campaigns, prepared a tool that allows to decrypt files after some variants Vortex ransomware, also known under other names - Folter and Polish Ransomware.

As explained by CERT Polska, "Vortex was distributed via numerous spam campaigns analyzed by CERT Polska, using, inter alia, the image of: P4 sp.zoo, ZARA store, PayU - card payments for Cinema City, Netia, eBOK Multimedia, Parcels in Ruch, Nationale Nederlanden, General Inspector for Personal Data Protection, PKO Leasing, Zastępczy Pojazd, mBank, Poczta Polska, DHL, attorneys Jerzy C., Andrzej L. and Wojciech W., Morele.net, Polkuriera and Wizz Air ".

Although the developed tool allows you to decrypt files, the full set of keys used in each campaign has not been implemented yet. The tool will be systematically updated.

If you managed to decrypt the files using the key obtained on this site, we kindly ask you to submit a notification of suspected offense together with the prosecutor in the nearest place of residence for your Police unit with reference to the case file PO II Ds 129.2017 District Prosecutor's Office in Warsaw .

If you have an e-mail message that the perpetrator sent to you a malicious file, please save it on a CD / DVD (along with full headers and attachments) and hand it over to the police as an attachment to the interrogation protocol. It will not be necessary to submit for examination the computer on which the files were encrypted.

This page provides information on what to do to recover files - and what to do if files can not be recovered.

AEScrypt support is very simple. Simply download the ZIP archive with the latest version, unpack it, run the " setup.exe " installer, right-click on the encrypted file and select " AES Decrypt " and enter the previously obtained password from https://nomoreransom.cert.pl/vortex

In order to decrypt more files, you can select all data from one folder or create a simple script that will transfer all encrypted data to one location.

Decryption tool

Add new comment

The content of this field is kept private and will not be shown publicly.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.