Newly discovered ransomware ‘vxCrypter’ deletes duplicate files in an infected computer

• vxCrypter keeps a track of the SHA256 hashes of each file it encrypted and if it encountered the same SHA256 hash while encrypting other files, it would delete the file instead of decrypting it.
• The ransomware does not delete the duplicate files with the extensions .exe or .dll.

What is the issue - A security researcher and the owner of BleepingComputer named Lawrence Abrams uncovered new ransomware dubbed ‘vxCrypter’.

Why it matters - This ransomware deletes duplicate files apart from encrypting files in an infected computer. “vxCrypter Ransomware. Appends .xLck. In-dev and buggy. Deleted numerous files instead of encrypting them,” Abrams tweeted.

The ransomware is written in .NET and is based on older ransomware ‘VxLock’ that was under development and was never completed.

The big picture

Abrams analyzed vxCrypter and observed that the ransomware has deleted all the files in a folder except one. The researcher noted that he assumed it to be a bug since the ransomware is still in the development stage.

However, another security researcher Michael Gillespie replied to Abrams explaining that the deletion of files is intentional.

Gillespie analyzed vxCrpter and explained that the ransomware keeps a track of the SHA256 hashes of each file it encrypted. If it encountered the same SHA256 hash while encrypting other files, it would delete the file instead of decrypting it.

“Here's why it deletes some files - it does a SHA256 of the file, and if it has already encrypted a file with that hash before, it deletes it. So any files that are a duplicate are just deleted,” Gillespie replied to Abrams’s tweet.

Worth noting

• vxCrpter deletes duplicate files only for most common extensions such as txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .sqlite, .odt, .jpg, .jpeg, .bmp, .gif, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .xsd, .cpp, .c, .h, .hpp, .htm, .py, .reg, .rb, .pl, .zip, .rar, .tgz, .key, .jsp, .db, .sqlite3, .sqlitedb, .bat, .bak, .7z, .avi, .fla, .flv, .java, .mpeg, .pem, .wmv, .tar, .tgz, .tiff, and .tif.
• The ransomware does not delete the duplicate files with the extensions .exe or .dll.