First the program will check if it's running on a testing machine like: VM, sandbox... If yes, it will stop and delete itself, else the process starts:
The system reboots into safe mode (if it's not already in it), because on safe mode most drivers are disabled, which means that all AV's won't work (Shadow copies don't work on this mode). Then the program gets elevated privileges using UAC bypass to perform certain registry changes and access certain files.
Once it has admin privileges, each file is encrypted using a newly generated AES-256 key. The process takes a couple of seconds using multi threading.
Keep in mind that this ransomware does not implement decryption. If you want to implement this abillity, you will have to store each aes key and later decrypt using that key.
If you want extra security, you can read this article, which explains how to combine AES and RSA. AES-RSA
- Since the program uses MultiThreading, Encryption takes around 15 seconds.
- Each file is encrypted using a process called RIPlace, which bypasses Windows-Controlled-Folder. More on RIPlace