Viro Botnet Ransomware Breaks Through

We’ve predicted that ransomware attacks will plateau in 2017 but will diversify in terms of attack methods as time progresses. Ransomware activity in the first half of 2018 proved this to be true, with more innovative methods to raise the ante. Case in point: we have recently observed Virobot (detected by Trend Micro as RANSOM_VIBOROT.THIAHAH), with both ransomware and botnet capabilities, affecting users in the United States. Once Viborot infects a machine, it also becomes part of a spam email botnet that distributes the ransomware to more victims. Virobot is not associated with any known ransomware families.

Infection Chain

Virobot was first observed in the wild on September 17, 2018, seven days after we analyzed a ransomware variant that imitates the notorious Locky ransomware. Once Virobot is downloaded to a machine, it will check the presence of registry keys (machine GUID and product key) to determine if the system should be encrypted.


Figure 1. Virobot queries the machine to see if contains the registry keys needed for encryption.

The ransomware then generates an encryption and decryption key via a cryptographic Random Number Generator. Together with the generated key, Virobot will then send the machine-gathered data to its C&C server via POST.

Virobot will start its encryption process. The following files are encrypted via RSA encryption:


Figure 2. Code snippet showing the ransomware’s encryption

After encryption, it will display a ransom note and ransom screen. Interestingly, despite finding that the ransomware affects users in the US as of writing time, the ransom note was written in French:



Figures 3 and 4. Screen captures of Virobot’s ransom screen (top) and ransom note (bottom). Written in French, it states “Vos fichiers personnels ont été chiffré,” which translates to “Your personal files have been encrypted.”

Virobot also has a keylogging feature, and connects back to its C&C server to send logged key strokes from an infected machine. Once connected to the C&C, it may download files – possibly another malware binary – and execute it using PowerShell.


Figure 5. Code snippet showcasing Virobot’s keylogging capability.

Virobot’s botnet capability is evidenced by its use of an infected machine’s Microsoft Outlook to send spam emails to the user’s contact list. Virobot will send a copy of itself or a malicious file downloaded from its C&C server.

Figures 6 and 7. Code snippets featuring Virobot’s propagation routine using Microsoft Outlook.

The ransomware needs to establish communication to its C&C server to successfully encrypt files. However, as of writing time, it is no longer able to encrypt files because Virobot’s C&C was taken down.

Trend Micro Ransomware Solutions

Individuals and enterprises should use a multi-layered approach to mitigate the risks brought by threats like ransomware.

Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security can prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–regardless if they’re physical, virtual, or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.

For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.

Trend Micro Crypto-Ransomware File Decryptor Tool can decrypt files affected by certain crypto-ransomware variants without having to pay the ransom in exchange for the decryption key.

Find more in-depth information on Trend Micro detections and solutions for Trend Micro Deep Security, Vulnerability Protection, TippingPoint, and Deep Discovery Inspector in this technical support page.


Indicators of Compromise (IOCs)

Hash detected as RANSOM_VIBOROT.THIAHAH (SHA256):    


Related malicious URLs:






The post Viro Botnet Ransomware Breaks Through appeared first on .

Read more: Viro Botnet Ransomware Breaks Through

Story added 21. September 2018, content source with full text you can find at link above.