Analysis by Jaaziel Carlos, Jonh Chua, and Rodwin Fuentes
Ransomware has become one of the biggest problems for end users are as of late. In the past months alone, we have reported on several variants of both ransomware and crypto-ransomware, each with their own “unique” routines. We recently came across one malware family, detected as PE_VIRLOCK, as that not only locks the computer screen but also infects files—a first for ransomware.
Figure 1. VIRLOCK infection diagram
Once inside the computer, VIRLOCK creates and modifies registry entries to avoid detection and ensure execution. It then locks the screen of the affected computer, disabling explorer.exe and preventing the use of taskmgr.exe. Meanwhile, it also checks the location of the affected system to display the appropriate image for the ransom message.
Figure 2. Sample ransom message
As mentioned, VIRLOCK also has file-infecting routines. Once in the computer, PE_VIRLOCK checks for specific file types, including the following:
- Executable files (*.exe)
- Common Document files (*.doc, *.xls, *.pdf, *.ppt, *.mdb)
- Archive files (*.zip, *.rar)
- Audio/Video files (*.mp3, *.mpg, *.wma)
- Image files (*.png, *.gif, *.bmp, *.jpg, *.jpeg, *.psd)
- Certificate files (*.p12, *.cer, *.crt, *.p7b, *.pfx, *.pem)
Once the malware finds its targeted files, it then encrypts the host file and embeds it in the malware body. It will also add a .RSRC section to the infected file. The .RSRC section includes the resources used by the executable that are not considered part of the executable, such as icons, images, menus, and strings. VIRLOCK uses that section to store the resources of the host file. When the infected host file contains an icon similar to the original icon of the host file, it can trick unsuspecting users into executing the infected files.
Figure 3. A detailed representation of the levels of encryption found in infected files
Upon execution, the infected file will drop a decrypted host file on the same directory where it was executed. The malware will then execute the decrypted host file, to make the user think that no suspicious activity is happening even if the malware is running silently in the background.
The malware author programmed the mother file just like the logic of infected files. It uses a dummy file (garbage) for it to drop and execute like the infected file’s routine. The author may have used a dummy file for two reasons: 1) code recycling, and 2) polymorphism—since every instance is unique.
Our analysis shows that VIRLOCK is polymorphic. The malware was packed with custom hacker packer that uses randomized API calls. This malware continuously changes the hacker packer that it uses to avoid detection. This makes it harder to for security researchers and products to detect as the code changes each times it runs.
VIRLOCK encrypts the host file to make it more difficult for security solutions to clean and restore the infected files. Based on our analysis, VIRLOCK uses custom encryption, with two layers of encryption. First is a combination of XOR and ROL (rotate on left) encryption and the second layer is an XOR encryption.
Figure 4. Representation of malware code execution
Based on feedback from the Smart Protection Network, the top affected country is the United States, followed by China and Australia.
Figure 5. Top affected countries, based on data from January 2015 to present
Ransomware, Worms, and File Infectors: a Potent Combination
As mentioned earlier, this is the first ransomware that includes file infection in its routine. Ransomware often arrives via two methods: 1) botnets, and 2) social engineering. However, these methods aren’t necessarily foolproof. Social engineering can be thwarted by a well-informed user. Botnets are only successful if they are undetected, which only usually happens when they are new or highly complex.
VIRLOCK does not use any of those methods to infect systems. Instead, its very nature is more damaging: a polymorphic worm with file infecting capabilities. It bears stressing that file infectors and worms are two malware types that can effectively and efficiently spread malware—and VIRLOCK can be considered both.
If the infected system is not properly cleaned, even the presence of a single infected file will trigger the infection chain all over again. Once VIRLOCK gets into a system network, it will be all over the place; it can infect a whole network system without notice.
There is also a high chance of executing VIRLOCK on removable drives by mistake since the icons are the same as what you’d expect for certain files on a flash drive. The infected files on the affected removable drive can infect computers with ease.
Since the motivation of the malware is to earn money through ransom fees, infecting files could help the malware to spread to other systems, increasing the chance of getting more money.
The Future of VIRLOCK
In our analysis, we also found traces of incomplete modules or illogical codes in VIRLOCK. It’s highly possible that the modules/codes are proof that VIRLOCK is still in the development stage; it won’t be a surprise if we see a more sophisticated VIRLOCK variant in the coming months. One possible development we might see with VIRLOCK is in its arrival vectors. We might see VIRLOCK use a mass-mailing malware to help them to propagate, similar to those used by the ransomware family CRYPCTB.
The first line of defense in staying protected against all types of ransomware is being erring on the side of caution. For example, it’s best to avoid opening emails and links sent by unknown or unverified sources/contacts. Some emails may look legitimate in nature, it’s always best to check the sender’s address, subject line, and of course email contents for anything that appears suspicious. Try to visit sites that have been verified as safe. Users can also use the Trend Micro Site Safety Center to check if unfamiliar sites are safe. Never download anything unless they come from official or trusted sources.
As VIRLOCK has propagating capabilities, we highly encourage users to limit connecting their removable drives to computers that are trusted or with security software installed. The same goes for computers: avoid connecting flash drives that cannot be vouched by other people.
Users should always have a security solution installed in their devices. Trend Micro Security products leverage the Smart Protection Network™, which rapidly and accurately identifies new threats and delivers global threat intelligence.
Hashes of related files: