Researchers Discovered New Virobot Ransomware with Botnet Capabilities

New Sextortion Scam

Researchers have discovered new ransomware named Virobot which have the capabilities of both ransomware and botnet.

The ransomware was discovered by researchers at Trend Micro which not only encrypt victims files and also make it part of a spam botnet and spread the ransomware to other victims.

The ransomware was first spotted by researchers on September 17, 2018, targeting users in the United States.

Working of Virobot Ransomware

Once downloaded the ransomware will check the presence of specific registry keys to determine whether the system needs to be encrypted or not.

If detected the ransomware will generate an encryption and decryption key using a cryptographic Random Number Generator. Then it sends the machine gathered data along with the generated key to command and control server via POST.

The ransomware will start encrypting process targeting file types txt, .docx, .xlsx, .pptx, .jpg, .png, .csv, .sql, .mdb, .php, .asp, .xml, .psd, .odt, .html and others. The files are encrypted using RSA encryption algorithem.

After the encryption process is completed the ransomware will display a ransom note and ransom screen.

 

Virobot
Ransom screen

However, researchers found that the ransom note was written in French and was currently targeting users in the United States.

 

Virobot
Ransom note

The researchers also found that Virobot also contains keylogging features. The ransomware collects the keystrokes from the infected and connects back to its C&C server to send the data.

The ransomware also downloads addition files such as malware binaries and execute it using Powershell once connected back.

“Virobot’s botnet capability is evidenced by its use of an infected machine’s Microsoft Outlook to send spam emails to the user’s contact list. Virobot will send a copy of itself or a malicious file downloaded from its C&C server.” said in the analysis published Trend Micro researchers.

According to researchers, the ransomware is no longer active as the command and control server the ransomware was taken down.

For the latest cyber threats and the latest hacking news please follow us on Facebook and Twitter.

You may be interested in reading:GovPayNow.com Breach Exposes 14 Million Customer Records

Comments

Please rate this content