What is the issue - A security researcher and the owner of BleepingComputer named Lawrence Abrams uncovered new ransomware dubbed ‘vxCrypter’.
Why it matters - This ransomware deletes duplicate files apart from encrypting files in an infected computer. “vxCrypter Ransomware. Appends .xLck. In-dev and buggy. Deleted numerous files instead of encrypting them,” Abrams tweeted.
The ransomware is written in .NET and is based on older ransomware ‘VxLock’ that was under development and was never completed.
The big picture
Abrams analyzed vxCrypter and observed that the ransomware has deleted all the files in a folder except one. The researcher noted that he assumed it to be a bug since the ransomware is still in the development stage.
However, another security researcher Michael Gillespie replied to Abrams explaining that the deletion of files is intentional.
Gillespie analyzed vxCrpter and explained that the ransomware keeps a track of the SHA256 hashes of each file it encrypted. If it encountered the same SHA256 hash while encrypting other files, it would delete the file instead of decrypting it.
“Here's why it deletes some files - it does a SHA256 of the file, and if it has already encrypted a file with that hash before, it deletes it. So any files that are a duplicate are just deleted,” Gillespie replied to Abrams’s tweet.