vxCrypter Removes Duplicate Files to Increase Encryption Speed
A newly discovered ransomware variant, called vxCrypter, is going beyond the standard encryption included in all ransomware
BleepingComputer’s Lawrence Abrams, confirmed he discovered vxCrypter, and reported it is still under development. Based on his findings, it is believed vxCrypter has been developed from vxLock, an older ransomware variant that was never completed or released into the wild.
Once vxCrypter is downloaded, and begins to encrypt the user’s files, the ransomware tracks the SHA256 hashes. From there, if another file is found with the same hash that was previously identified, the file will then be deleted. It is unclear why the hackers would program the malware to delete the duplicate files, other than to increase the encryption speed. By increasing the encryption speed, the hackers are able to maximize damages in minimal time.
It should be noted, not all file extensions are being deleted if they are duplicates. For example, if vxCrypter finds duplicate .exe or .dll files, they will not be removed. Instead, the hackers focus on documents, pictures, .java and .zip files.
To date, this is the first ransomware variant that is deleting duplicate files from the victim’s devices.
