The RansoMware program tries to find the raised rights using the well-known techniques of Powershell scripts, then it detects the logging of security events, and then removes the restrictions placed on the execution of PowerShell, finally deleting the volume Shadow Copies to protect the system recovery.
The malware program then tries to kill a long list of processes associated with various systems, including browsers, video players, messaging apps, and Windows services. This ensures that access to potentially important files that will be hidden is not blocked by those applications.
The malware spreads to all drives and subdirectories
RANOMOMWOLE will then add to all DRIVER characters and regenerate all characters, encrypting all files with a list of target extensions. The file encryption method uses the Chacha20 algorithm with Ephemeral Keys. Encrypted files have a .Funksec extension attached to them.
Source link