Old Ransomware is Back

Friday, January 27, 2017 @ 05:01 PM gHale

Oftentimes, like a boomerang, ransomware does not go away, it just keeps coming back in various new versions.

Take the VirLocker ransomware.

Powerful Mobile Android Ransomware
New Ransomware as a Service Starts Up
New Ransomware Tries to Grow Organically
Exploit Kit Jumps on Old Applications

It has been around for a very long time, and it went quiet, but it is now coming back, said Malwarebytes’ anti-ransomware researcher Nathan Scott.

VirLocker has the ability to reproduce itself and covertly adds itself to files on a victim’s computer. It encrypts different types of files, but also “infects” them by adding itself to these new, encrypted files, and wrapping them in an EXE shell (the .exe extension is not visible).

“VirLocker has a trick up its sleeve when it comes to infecting other users,” Scott said in a blog post. “Because every file that VirLocker touches becomes VirLocker itself, so many users will accidentally send an infected version of a file to friends and colleagues, backups become infected, and even applications and EXE’s are not safe. Basically, when getting infected by VirLocker, you can no longer trust a single file that is on the affected machine.”

It only takes opening one such file to get the infection chain started.

Decryptor tools for previous versions of the ransomware end up offered by ESET and Sophos researchers, but this latest version is even easier to stop in its tracks: Enter any 64-length string (e.g. 64 zeros) in the text box of the lock screen note, click on the “Pay Fine” button and the malware will believe it received the right amount. The note will disappear, and opening any of the infected files will extract the original file.

Opening all the infected files will be a time consuming task, but the victim can save those that are most important.

Once you get them all, insert a USB stick in your computer and transfer them there, Scott said. Be careful, however, not to make the mistake to transfer some of the infected EXE files on the memory stick, as clicking on any of them will start the infection chain all over again.

Leave a Reply

You must be logged in to post a comment.