Recently discovered ransomware, vxCrypter, has been found to remove duplicate files from a targeted system when going through its encryption process. Written in .NET form, it is modeled after an unfinished ransomware named VxLock. When the researcher who first discovered it noticed it had removed all files from a folder except one, he thought it was a bug in the ransomware since it was in its developmental stage. After a deeper look from another researcher it was made clear that it was not just a bug and the ransomware had been doing it intentionally. When the ransomware is in the process of encrypting files it also stores the SHA256 hashes of files it has already encoded so if it comes across the same hash again it will simply delete it. Not only does this improve the speed of encryption but it also poses a larger threat to the target because of the files being completely wiped. Targeted file extensions include txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .sqlite, .odt, .jpg, .jpeg, .bmp, .gif, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .xsd, .cpp, .c, .h, .hpp, .htm, .py, .reg, .rb, .pl, .zip, .rar, .tgz, .key, .jsp, .db, .sqlite3, .sqlitedb, .bat, .bak, .7z, .avi, .fla, .flv, .java, .mpeg, .pem, .wmv, .tar, .tgz, .tiff, and .tif.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased