The ransomware program makes an attempt to achieve elevated privileges utilizing recognized methods for PowerShell scripts, then proceeds to disable Home windows Defender real-time safety service, security occasion logging on the system, and utility occasion logging, take away restrictions positioned on PowerShell execution, and at last delete quantity shadow copies to stop system restore.
The malware program then makes an attempt to kill a protracted checklist of processes related to quite a lot of packages, together with browsers, video gamers, messaging functions, and Home windows companies. This ensures that entry to doubtlessly necessary recordsdata that can subsequently be encrypted shouldn’t be locked by these functions.
Malware spreads throughout all drives and subdirectories
The ransomware will then iterate over all drive letters and recurse by means of all subdirectories, encrypting all recordsdata with a listing of focused extensions. The file encryption routine makes use of the ChaCha20 algorithm with ephemeral keys. Encrypted recordsdata have the .funksec extension hooked up to them.
