Threat Watch

vxCrypter Ransomware Cleans Out Before It Encrypts

Recently discovered ransomware, vxCrypter, has been found to remove duplicate files from a targeted system when going through its encryption process. Written in .NET form, it is modeled after an unfinished ransomware named VxLock. When the researcher who first discovered it noticed it had removed all files from a folder except one, he thought it was a bug in the ransomware since it was in its developmental stage. After a deeper look from another researcher it was made clear that it was not just a bug and the ransomware had been doing it intentionally. When the ransomware is in the process of encrypting files it also stores the SHA256 hashes of files it has already encoded so if it comes across the same hash again it will simply delete it. Not only does this improve the speed of encryption but it also poses a larger threat to the target because of the files being completely wiped. Targeted file extensions include txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .sqlite, .odt, .jpg, .jpeg, .bmp, .gif, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .xsd, .cpp, .c, .h, .hpp, .htm, .py, .reg, .rb, .pl, .zip, .rar, .tgz, .key, .jsp, .db, .sqlite3, .sqlitedb, .bat, .bak, .7z, .avi, .fla, .flv, .java, .mpeg, .pem, .wmv, .tar, .tgz, .tiff, and .tif.

ANALYST NOTES

It is ideal for users to have an offline backup of important files that could be at risk for an attack of this nature, in turn, this would allow users to avoid paying the ransom if they have secure copies of the important files. End-point security products can be used to alert users to ransomware and other infectious attacks, even though none of these products are perfect, it is still an added layer of security. Ransomware will always continue to evolve so it important for users to be aware of new tactics and methods in an attempt to stay prepared for future attacks.