New Ransomware Variant Deletes Duplicate Files

vxCrypter Removes Duplicate Files to Increase Encryption Speed

A newly discovered ransomware variant, called vxCrypter, is going beyond the standard encryption included in all ransomware variants, and monitors hashes to ensure duplicate files are removed from the endpoint. 

BleepingComputer’s Lawrence Abrams, confirmed he discovered vxCrypter, and reported it is still under development.  Based on his findings, it is believed vxCrypter has been developed from vxLock, an older ransomware variant that was never completed or released into the wild. 

Once vxCrypter is downloaded, and begins to encrypt the user’s files, the ransomware tracks the SHA256 hashes.  From there, if another file is found with the same hash that was previously identified, the file will then be deleted.  It is unclear why the hackers would program the malware to delete the duplicate files, other than to increase the encryption speed.  By increasing the encryption speed, the hackers are able to maximize damages in minimal time. 

It should be noted, not all file extensions are being deleted if they are duplicates.  For example, if vxCrypter finds duplicate .exe or .dll files, they will not be removed.  Instead, the hackers focus on documents, pictures, .java and .zip files.

To date, this is the first ransomware variant that is deleting duplicate files from the victim’s devices. 

 891 total views,  2 views today

(Visited 1 times, 1 visits today)
Related Reading  Under Attack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.