[BreachExchange] Hackers Spreading New Virobot Ransomware with Powerful Botnet & Keylogging Capabilities
Destry Winant
destry at riskbasedsecurity.com
Mon Sep 24 16:57:29 EDT 2018
https://gbhackers.com/virobot-ransomware-botnet/
Researchers discovered new Virobot Ransomware that distributed along
with botnet futures mainly focusing on victims based on the United
States.
Attackers using spam email botnet to delivery the ransomware into more
number of victims and this ransomware doesn’t have a previous
Ransomware family.
Cybercriminals always finding new innovative techniques to compromise
victims by developing sophisticated threats.
Initially, Virobot Ransomware observed in 2017, it initially
Ransomware gathers, Machine GUID, Machine Name, User Name.
Virobot Ransomware Infection Process
Once targeted victims got infected with Virobot Ransomware, it ensures
the victim’s machine whether was encrypted before or not by check GUID
and product key’s registry key.
It using cryptographic Random Number Generator to generates an
encryption and decryption key.
Later it shares the gathered victim’s data and sends it to the
attackers via the command & control server using the generated key.
Once the ransomware received the required command from the attacker
then it starts the encryption process and completely encrypts the disk
files using RSA encryption algorithm.
After completing the encryption process, Virobot Ransomware displays
the ransom notes which is written in the French language despite the
victim’s Geo-location.
Botnet & Keylogging Future
Apart from the ransomware infection Virobot also having keylogging
future that connects back to its C&C server and sends the stolen
keylogged information to the attacker.
According to Trend Micro, Virobot’s botnet capability is evidenced by
its use of an infected machine’s Microsoft Outlook to send spam emails
to the user’s contact list. Virobot will send a copy of itself or a
malicious file downloaded from its C&C server.
During the Analysis of this ransomware, Virobot doesn’t encrypt any
files since the Command & control server temporarily taken down,
researchers said.
More information about the BreachExchange
mailing list