New Virobot ransomware will also log keystrokes, add PC to a spam botnet

A newly discovered ransomware strain is a multi-tasking threat that besides encrypting users’ files, it can also log and steal their keystrokes, and add the infected computers to a spam-sending botnet.

This new ransomware is named Virobot and is a new strain that has no ties to previous ransomware family trees, according to cyber-security firm Trend Micro, whose malware analysts spotted this new treat this week.

But while the Virobot ransomware component appears to be unrelated to any other ransomware strain, its mode of operation is nothing new, following the same modus operandi of all previous threats.

Also: Ransomware: An executive guide to one of the biggest menaces on the web

The current infection vector appears to be spam emails (also known as malspam). Once a user is tricked into downloading and running the ransomware attached to email documents, the ransomware works by generating a random encryption and decryption key, which it also sends to a remote command and control (C&C) server.

The encryption process relies on the RSA encryption scheme, and Virobot will target files with the following extensions: TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, JPG, PNG, CSV, SQL, MDB, SLN, PHP, ASP, ASPX, HTML, XML, PSD, PDF, and SWP.

Once this operation finishes, Virobot shows a ransom note on the user’s screen, like the one below. This note is written in French, which Trend Micro researchers found odd because the campaign spreading the ransomware had also clearly targeted US users.

virobot.jpg

Virobot ransom note

Image:Trend Micro

Interestingly, Virobot is not the only ransomware with a French connection that appeared in the past few weeks. At the end of August, security researcher MalwareHunter noticed that a ransomware strain named PyLocky, created to imitate the much more famous Locky ransomware, had also been very active in targeting France.

CNET: Fake cryptocurrency app installs ransomware on your computer

But besides its ransomware component, Trend Micro says it also discovered two other components, a keylogger, and a botnet module.

The keylogger system was very simplistic, logging all local keystrokes and sending the raw data to the C&C server.

On the other hand, the botnet module was more powerful. This module also allowed the Virobot operator to download other malware from the ransomware’s C&C server and execute it.

Further, this module would also work as a spam module, using the locally installed Outlook app to send spam to the user’s contact list. Trend Micro reported that Virobot would use this module to spread a copy of itself as part of a rudimentary worm-like feature.

TechRepublic: Why cryptomining is the new ransomware, and businesses must prepare for it

Michael Gillespie, the owner of the Ransomware, a service for scanning encrypted files to determine what type of ransomware has infected a PC, told ZDNet today that there is no way of detecting Virobot infections via his website.

This is due to the fact that the ransomware shares common detection indicators with other strains, such as appending the .enc file extension to encrypted files, an extension used by many other strains.

Luckily, its French-written ransom note is more than enough for users to guess or determine that they have been infected with Virobot.

For now, according to Trend Micro, the threat has been temporarily mitigated because at the time of writing the Virobot C&C server was down, meaning the ransomware will not start the encryption process when infecting new victims.

Since this is a new ransomware strain, this is most likely because of tests that most malware distributors carry out, and it’s expected that the ransomware’s C&C servers will eventually come back for broader distribution campaigns in the future.

Virobot is also not the first ransomware strain that comes with a keylogger or other components. The line between ransomware, banking trojans, keyloggers, and other malware categories has been getting murkier in past years.

For example, malware strains such as MysteryBot, LokiBot, Rakhni, or XBash, have often come with multi-functional features, blending everything from ransomware to cryptominers in the same package.

Maybe that is why some researchers are now contesting Trend Micro’s decision to categorize Virobot as ransomware instead of a botnet. With the lines getting blurry, it’s getting hard to tell what’s what anymore.

Related coverage:

READ MORE HERE