The ransomware program attempts to gain elevated privileges using known techniques for PowerShell scripts, then proceeds to disable Windows Defender real-time protection service, security event logging on the system, and application event logging, remove restrictions placed on PowerShell execution, and finally delete volume shadow copies to prevent system restore.
The malware program then attempts to kill a long list of processes associated with a variety of programs, including browsers, video players, messaging applications, and Windows services. This ensures that access to potentially important files that will subsequently be encrypted is not locked by those applications.
Malware spreads across all drives and subdirectories
The ransomware will then iterate over all drive letters and recurse through all subdirectories, encrypting all files with a list of targeted extensions. The file encryption routine uses the ChaCha20 algorithm with ephemeral keys. Encrypted files have the .funksec extension attached to them.
