[Virus/Malware Activity Report: Vypt Ransomware]

Due to a breach believed to be in the form of Vypt ransomware,
we would like to confirm the situation and provide a warning as follows.

Vypt ransomware

The ransomware is called Vypt and appears to be changing all files with the file name and extension _[ID-9BCBR_Mail-Ross.dec1966@gmail.com].Vypt.

How it works

file version

[Figure 1 Ransomware compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• Register startup program and create service

  Ransomware that runs for the first time copies itself, creates it in the startup folder, and registers the file in the service (automatic execution option) so that it can be re-executed multiple times when Windows boots.

  
  [Figure 3 Ransomware created in startup program folder]

  
  [Figure 4 Register for service using cmd’s sc command]

• Install and run a script that corrects the ransomware's behavior.

  Create S-6748.bat/S-8459.vbs/S-2153.bat in each order in the AppData folder location, delete the shadow copy, and check if the ransomware is operating properly (if it does not start, re-run the ransomware registered in the startup program). We are supplementing the system in several ways so that it can operate even if the initially executed ransomware is stopped.

  
  [Figure 5 Generated script and driver files]

  
  [Figure 6 Some details such as duplication prevention and shadow copy]

Infection results

Guide files are in each path.is created, and during the encryption process, the files are changed to <file name.extension_[ID-9BCBR_Mail-Ross.dec1966@gmail.com].Vypt> and then the desktop is changed upon completion.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

Watch Vypt blocking video