Virobot: are monster mash-ups the future of ransomware?

Veux-tu Virobot?
For the non-francophones among us, what we’re asking is if you’ve heard about the latest ransomware variant dubbed Virobot.

Multi-tasking Ransomware

Discovered by researchers in mid-September, Virobot is one heck of a multi-tasker. Though it’s clearly still under development, Virobot boasts an impressive CV of malicious skills — aside from the typical “execute and encrypt” ransomware capabilities, it logs and steals keystrokes and perhaps even worse, victim computers are enlisted into a spam-churning botnet.

Another distinguishing factor, Virobot seems to be of French origin, as the ransom note displayed on the victim’s screen is all in French. Nowadays, with most ransomware variants coming out of Russia, this could be a clever red herring but authorities seem to agree that the threat probably is fabrique-en-France. Thus far, it has been spotted targeting users in the US via spam emails using MS Outlook.

Once Virobot gets onto a machine, it scans for certain registry keys which helps it “decide” if this machine should be encrypted or not. Once it decides that it should be encrypted, it generates encryption and decryption keys. When that’s completed, it sends machine-specific data back to the commands and control (C&C) server, which allows it to take control over MS Outlook. With this level of control, it can now enlist the victim machine into its spam-sending botnet, making it an unwitting accomplice in the scheme. For a final touch, it accesses the victim’s address book and sends Virobot-containing spam emails to all the victim’s contacts. Should the email recipient open the attachment, their data will be encrypted and their machine will become part of the botnet.

The decrypt fee is about $250 in Bitcoins but thankfully, for now, their server seems to be shut down, which means that it’s not spreading any further at the moment. Interestingly, Virobot doesn’t seem to be connected in anyway to previous ransomware variants, although another French-made ransomware variant called PyLocky began making rounds just a few weeks ago.

Blended Threats – A new phenomenon?

For all its capabilities, Virobot is just another manifestation of a blended threat; or, a threat that attacks you over here with its arms, over there with its legs, around the corner with a torpedo and across the street with a stink bomb. And all at the same time, mind you, instead of just one quick punch to the gut.

It sounds bad but it’s really nothing new — we’ve seen similar multi-tasking abilities with Rakhni ransomware; DDoS and botnet generally use varied methods to infect their victims. It makes a lot of sense if you think about it. Why rely on just one attack method when you could be using lots of attack methods?

And while they have always been around, blended threats are becoming more commonplace, simply because they work. They hit machines and networks at various weak points all at once to make a complicated situation even more so. They create a smokescreen of sorts, making you think the threat is just the ransomware or a DDoS, while a greater, more dangerous threat goes unnoticed because you’re too busy dealing with the first threat.

We know all about blended threats or multi-tasking baddies. Whatever you prefer to call them, it’s crucial to make sure they stay away from your data. And when it comes to ransomware, it’s even more important to keep it from infiltrating because once encryption of files has started, it cannot be undone without the decrypt fee — and your attackers will make sure you pay dearly for it.
Our ransomware prevention tool keeps attackers from getting what they want — your money and your data. It effectively blocks all kinds of ransomware, multi-taskers and not.

How to make sure you’re in the clear from ransomware including Virobot

1. Go to Reasonlabs.com
2. Download and install RAV Endpoint Protection
3. Update the license
4. You’re now protected from Virobot and any other ransomware variant that tries to make its way on to your computer. If anything malicious attempts to encrypt your files, with our Ransomware Protection feature, the process is automatically blocked.

So does the future of malware lay in monster mash-ups of baddies like ransomware, Trojans, DDoS, and botnets? It’s safe to assume that attacks will only get bolder, smarter and more capable, likely using more than one way to get what they want. Keep your data secure with a solution that targets these mash-ups with a multi-faceted defense.