In a recent development, a new ransomware program has been identified that is causing a major threat to computer systems. The program works by attempting to gain elevated privileges using known techniques for PowerShell scripts. Once it has obtained these privileges, the ransomware proceeds to disable important security measures on the system.
One of the first things the malware does is disable Windows Defender real-time protection service. This service is crucial for protecting the system from various threats, so its disabling leaves the system vulnerable to further attacks. Additionally, the ransomware also disables security event logging on the system, which makes it difficult for users to track any suspicious activity that may be occurring.
Furthermore, the malware goes on to disable application event logging, which further hinders users’ ability to monitor the system for any unusual behavior. Additionally, the ransomware removes restrictions placed on PowerShell execution, which allows it to run malicious scripts without any obstacles. Finally, the program deletes volume shadow copies to prevent system restore, making it even more difficult for users to recover their files.
After disabling these security measures, the ransomware program targets a long list of processes associated with various programs on the system. This includes browsers, video players, messaging applications, and Windows services. By killing these processes, the ransomware ensures that access to important files is not blocked by any running applications, allowing it to encrypt the files without any interference.
Once the initial setup is complete, the malware spreads across all drives and subdirectories on the system. It iterates over all drive letters and recursively encrypts all files with a list of targeted extensions. The encryption routine uses the ChaCha20 algorithm with ephemeral keys, making it difficult to decrypt the files without the key. Encrypted files are given the .funksec extension, making it clear to users which files have been affected.
Overall, this new ransomware program poses a significant threat to computer systems by disabling critical security measures and encrypting files across the system. Users are advised to be cautious while browsing the internet and to ensure that their security software is up-to-date to protect against such threats. Vigilance is key in preventing the spread of ransomware and protecting critical data from being compromised.