loader gif

vxCrypter Is the First Ransomware to Delete Duplicate Files

vxCrypter Is the First Ransomware to Delete Duplicate Files (Malware and Vulnerabilities)

The vxCrypter Ransomware could be the first ransomware infection that not only encrypts a victim's data, but also tidy's up their computer by deleting duplicate files. When I first tested the ransomware, I noticed that it had deleted every file in a folder except for one, which is illustrated in the images below.   As I knew this ransomware was still being developed, I assumed it was just a bug in the encryption routine. During the weekend, Michael Gillespie told me that this deletion of files was intentional as the ransomware was deleting duplicate files. When analyzing the ransomware, Gillespie noticed that the ransomware was keeping tracking of the SHA256 hashes of each file it encrypted. As the ransomware encrypted other files, if it encountered the same SHA256 hash, it would delete the file instead of decrypting it. Source code showing deletion based on SHA256 It should be noted that the ransomware is only deleting duplicate files for the following file extensions that it targets for encryption.

loader gif