More Powerful Ransomware with Increased File-Infection Spotted
Security firm Trend Micro says that hackers are developing a new ransomware known as ‘Virlock’ which has increased file-infection and resurrection powers.
Researchers of Trend Micro John Chua, Jaaziel Carlos and Rodwin Fuentes recently reported about the Virlock ransomware in a threat advisory.
V3.co.uk published news on 13th March, 2015 quoting the advisory as “We recently found one malware family known as PE_VIRLOCK which not only locks the system screen but also contaminates files – a first for ransomware”.
Virlock has the basic hallmarks of ransomware and locks computers by making explorer.exe disable and prevent the use of taskmgr.exe and it is more dangerous because it adds new functions of file infection.
This directs Virlock to check infected machines for specific types of files like .doc, .exe, .pdf, .xls, .mdb, .ppt, .zip, .mp3, .rar, .mpg, .wma, .png, .gif, .bmp, .jpeg, .psd, .cer, .p12, .p7b, .crt, .pem, .cer and .pfx.
Virlock encrypts and fixes the file in the body of the malware while adding a .RSRC section.
The researchers said that the attackers get a variety of powers on the victim’s system with the help of infection capability and hence it becomes more difficult to detect and remove the ransomware.
It is interesting to note that Virlock is polymorphic which means code is changed every time it runs making it more difficult for standard malware detection tools to detect it.
The ransomware normally arrives through two methods: 1) botnets and 2) social engineering. However, these methods are not necessarily perfect. Social engineering can be prevented by a knowledgeable user but botnets can be successful if they remain unnoticed which only happens when they are novel or more complex.
Virlock uses neither of these two methods to infect machines. Instead, its nature is more dangerous: a polymorphic worm with file infecting potential. It’s valid to say that file infectors and worms are two types of malware which can effectively and efficiently dispense malware and Virlock can be classified both.
The best way to minimize the threat of ransomware is to keep backups of files. Security researchers of Trend Micro concluded that even if data gets locked or encrypted, it becomes easy to retrieve or restore from a backup copy.