A new ransomware called VCrypt is targeting French victims by utilizing the legitimate 7zip command-line program to create password-protected archives of data folders.
BleepingComputer was told today about a new ransomware that was deleting all of a victim's files found in Windows data folders and then creating new "encrypted" files named after the folder name.
These encrypted files would utilize a naming format of username_foldername.vxcrypt.
For example, the files in the Documents folder would be deleted, and a file named User_documents.vcrypt would be created, as shown in the image below.
Archived folders
When the ransomware is started, the malware will also launch Internet Explorer and display a ransom note named help.html. This ransom note is written in French and tells the user to visit a web page to learn how to get their files back.
VCrypt Ransom Note
The English translation of this ransom note can be read below.
Q: What happened to my files? A: All your files have been encrypted and placed in a security zone. Q: How to recover my documents !! ? A: Follow the instructions available via this web page. If the page does not open, please check your internet connection.
By the time we gained access to the ransom note, the ransom site had since been taken offline, so it is not known how much the attackers are asking in the ransom.
VCrypt creates password protected 7zip archives
After receiving the sample, BleepingComputer was able to determine that the ransomware is not encrypting any files.
Instead, when it is executed, the ransomware will configure itself to automatically start and then extract the legitimate 7zip command-line program named 7za.exe to the % ..
Support the originator by clicking the read the rest link below.
