14 DAY TRIAL // The Virobot ransomware has been spotted making rounds in the United States on September 17, and it propagates itself via Microsoft Outlook spam e-mails.
At the moment, Virobot's command-and-control (C&C) server has been shut down, and the malware will not be able to successfully encrypt infected systems until the threat actors who designed it will switch to a new one.
As reported by Trend Micro's Macky Cruz, the Virobot ransomware also comes with botnet capabilities meant to spread it between computers via a spam e-mail attack vector that uses Microsoft Outlook as transportation.
Virobot-infected e-mails are sent to the victim's entire Outlook contact list containing a copy of the malware or a link to a payload file which will be downloaded on the target machine when the spam message is opened.
After the ransomware infects a computer, it will do a quick registry check-up to find the machine's ProductID and GUID and, after generating a pair of encryption and decryption keys, it will send all the gathered info to its C&C server and start encryption the hard drive.
The Virobot ransomware also features botnet and keylogger modules
Virobot's encryption process uses a pre-defined list of file formats to encrypt using RSA encryption containing anything from text and image files to SQL, MDB, and PSD.
Once the encryption has ended, Virobot will display a ransom screen and a note written in French and asking the victim to pay the ransom in 72 hours to have the data decrypted.
As unveiled by Cruz's analysis, the ransomware also features with keylogger capabilities, actively recording everything the target types on an infected computer and sending it to the C&C server.
Fortunately, as previously mentioned, Virobot's encryption and keylogging modules have been shut down after the ransomware's C&C server went offline, but it's still essential to prevent an infection seeing that the botnet capability is still up and running, and the bad actors can always switch operations to another command-and-control server.
