Ransomware Morphs into Other Forms

Tuesday, December 30, 2014 @ 01:12 PM gHale


A new ransomware encrypts the files on the storage unit and creates unique instances of itself because of its ability to morph into other forms.

This ransomware has a couple of names, VirRansom and VirLock, labeled by researchers from Sophos and ESET, respectively. Unlike the usual crypto-malware, the ransomware allows decryption of the files, but it won’t stop locking the screen, thus forcing the victim to pay.

RELATED STORIES
New Ransomware Uses Tor Network
Worm Holds Phone for Ransom
Ransomware Rakes in $6M in 6 Months
Malware Steals, Self-Spreads

What the malware does once executed on the computer is to attach itself to a file which is then embedded in a Portable Executable (PE) and added the EXE extension, if it is not an executable.

The threat scrambles the files it affects, but it also decrypts them upon execution, only this action comes at the expense of getting the computer infected.

The moment the user launches the infected file, the virus automatically deploys on the system. ESET researchers said two instances end up dropped in the “%userprofile%” and “%allusersprofile%” folders. Because of its ability to change forms, these end up being unique files.

“From a technical point of view, probably the most interesting part about this malware is that the virus is polymorphic, meaning its body will be different for each infected host and also each time it’s executed,” ESET researchers said.

“The intriguing part of VirRansom is that as well as infecting your EXE (program) files, this new virus “infects” data files, too, such as ZIPSs, DOCs and JPGs, Sophos researchers said in a blog post.

“Data files are encrypted, wrapped up into an EXE shell, and renamed so they end in .exe.

“In a file viewer such as Explorer, you don’t see the infected extension .exe by default (and anyway the virus turns extensions off if you had them on).

“Also, the virus sets the icon of the infected file to whatever it was before.

“That means you could be excused for opening an infected file by mistake, because it looks as you’d expect.

“And if you open an EXE file under the impression that it’s an image or a document, what you actually do it to execute it instead.”

According to the analysis from the antivirus vendor from Slovakia, the list of targeted files VirLock can infect includes documents (DOC, XLS, PDF, PPT), images (PNG, GIF, BMP, PSD, JPG), audio (MP3), video (MPG), and archives (RAR, ZIP).

There at least six variants of the malware circulating, researchers said.

Although VirLock/Ransom does not encrypt the files the way crypto-malware does in order to coerce the victim into paying the ransom, it relies on locking the computer screen to achieve its goal.

When in lock state, the malware also kills explorer.exe and prevents opening Task Manager and other processes that could help bypass the restriction, ESET researchers said.

The ransom message is a classic one, threatening with legal consequences as a result of copyright infringement allegations, unless the victim pays $216.

ESET released a standalone cleaner for the threat, while Sophos also provides a free tool.



Leave a Reply

You must be logged in to post a comment.