Secplicity Blog

Cybersecurity Headlines & Trends Explained

Ransomware Tracker (Entry #226): Bagli

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/bagli

Bagli is commonly called Bagli Wiper because it doesn't actually encrypt files; it overrides the file's bytes with the Random() function (.NET). Therefore, it's technically not ransomware; it's pseudo-ransomware as a wiper. Although a ransom note—oxu.txt—is dropped that demands a ransom of $350 in Bitcoin, there is no possible way to recover files. The ransom note is in Azerbaijani, and the wiper's creator, ryukRans, spoke primarily Russian on XSS.is (a hacking forum). Therefore, we denoted the user as Azerbaijani with low-to-moderate confidence.

All in all, Bagli isn't a sophisticated or unique wiper. It's most known for being the foundation and beginning ancestry of another popular ransomware builder, Chaos. Due to the builder's open-source nature, Chaos has hundreds of variants. Thankfully, later versions of Chaos have decryptors for most of its creations. The only exceptions are versions 1.0 and 2.0, which are built upon the wiper aspect of Bagli.

Filed under: Ransomware, Research