by Raphael Centeno and Noel Llimos
We’ve predicted that ransomware attacks will plateau in 2017 but will diversify in terms of attack methods as time progresses. Ransomware activity in the first half of 2018 proved this to be true, with more innovative methods to raise the ante. Case in point: we have recently observed Viro botnet (detected by Trend Micro as RANSOM_VIBOROT.THIAHAH), with both ransomware and botnet capabilities, affecting users in the United States. Once Viro botnet infects a machine, it also becomes part of a spam email botnet that distributes the ransomware to more victims. Viro botnet is not associated with any known ransomware families.
Viro botnet was first observed in the wild on September 17, 2018, seven days after we analyzed a ransomware variant that imitates the notorious Locky ransomware. Once Viro botnet is downloaded to a machine, it will check the presence of registry keys (machine GUID and product key) to determine if the system should be encrypted.
Figure 1. Viro botnet queries the registry to check the existence of specific registry keys.
If the specific registry keys exist, this ransomware then generates an encryption and decryption key via a cryptographic random number generator to proceed with encryption. Together with the generated key, Viro botnet then sends the machine-gathered data to its C&C server via POST.
It will then start its encryption process. The following files are encrypted via RSA encryption:
Figure 2. Code snippet showing the ransomware’s encryption
After encryption, it will display a ransom note and ransom screen. Interestingly, despite finding that the ransomware affects users in the US as of writing time, the ransom note was written in French:
Figures 3 and 4. Screen captures of Viro botnet’s ransom screen (top) and ransom note (bottom). Written in French, it states “Vos fichiers personnels ont été chiffré,” which translates to “Your personal files have been encrypted.”
Viro botnet also has a keylogging feature and connects back to its C&C server to send logged keystrokes from an infected machine. Once connected to the C&C, it may download files – possibly another malware binary – and execute it using PowerShell.
Figure 5. Code snippet showcasing Viro botnet’s keylogging capability.
The botnet capability is evidenced by its use of an infected machine’s Microsoft Outlook to send spam emails to the user’s contact list. Viro botnet will send a copy of itself or a malicious file downloaded from its C&C server.
Figures 6 and 7. Code snippets featuring Viro botnet’s propagation routine using Microsoft Outlook.
The ransomware needs to establish communication to its C&C server to successfully encrypt files. However, as of writing time, it is no longer able to encrypt files because Viro botnet’s C&C was taken down.
Trend Micro Ransomware Solutions
Individuals and enterprises should use a multi-layered approach to mitigate the risks brought by threats like ransomware.
Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security can prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like high fidelity machine learning, behavior monitoring and application control, and vulnerability shielding that minimizes the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–regardless if they’re physical, virtual, or in the cloud.
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.
Trend Micro Crypto-Ransomware File Decryptor Tool can decrypt files affected by certain crypto-ransomware variants without having to pay the ransom in exchange for the decryption key.
Find more in-depth information on Trend Micro detections and solutions for Trend Micro Deep Security, Vulnerability Protection, TippingPoint, and Deep Discovery Inspector in this technical support page.
Indicators of Compromise (IOCs)
Hash detected as RANSOM_VIBOROT.THIAHAH (SHA256):