A newly discovered malware strain is a multi-threading to encrypting users’ files, it can also log and steal their keystrokes, and add infected computers to a spam-sending botnet.
It has no previous ties to any previous ransomware trees according to the cybersecurity firm Trend Micro.
How Virobot Encrypts Data:
It is similar to all previous ransomware on the market, the current infection has also been used for spam emails known as malspam, whereby a user is tricked into downloading and running ransomware attached to email documents.
Once Viro botnet is downloaded to a machine, it will check the presence of registry keys) to determine if the system should be encrypted.
If the specific registry keys exist, this ransomware then generates an encryption and decryption key via a cryptographic random number generator to proceed with encryption. Together with the generated key, Viro botnet then sends the machine-gathered data to its C&C server via POST.
Virobot targets the following extensions:
TXT, DOC, DOCX, XLS, XLSX, PPT, PPTX, ODT, JPG, PNG, CSV, SQL, MDB, SLN, PHP, ASP, ASPX, HTML, XML, PSD, PDF, and SWP.
Virobot also has a keylogging feature and connects back to its C&C server to send logged keystrokes from an infected machine. Once connected to the C&C, it may download files – possibly another malware binary – and execute it using PowerShell.
This malware uses the infected machine’s Microsoft Outlook to implements the spam botnet capability and spread to the user’s contact list. Virobot will send to the victim’s contacts a copy of itself or a malicious file downloaded from its C&C server.
This can be mitigated by implementing strong Email & Web Security solutions to prevent ransomware reaching the end users.
Also, Real-time web reputation & behavior monitoring with end point protection in order to detect and block ransomware.
For more details: Security Operation Center