Ransomware has become increasingly problematic for end users, often extorting payment from its victims via LockScreen or Filecoder. However the latest variants not only utilise both methods of attack, but have also demonstrated more sinister self-reproducing, shape-shifting capabilities.
Win32/VirLock not only locks victims’ screens but also acts as a parasitic virus that infects existing files on the computer – an approach never before observed in ransomware. This is how it works:
A file infected with VirLock is embedded into a Win32 PE file with the .exe extension appended to its name. When that file is executed, the ransomware decrypts the original file from within its body, drops it into the current directory and then opens it.
This enables VirLock to install itself by dropping two randomly named instances of itself into the ‘userprofile’ and ‘alluserprofile’ directories, adding entries in the ‘Run’ registry keys so they can launch when Windows is next booted up. Because this virus is polymorphic, every instance is unique.
It is the dropped instances that are responsible for executing the malicious payloads. Once the screen is locked, the ransom message is displayed, instructing the victim to pay a sum in Bitcoin should they wish to regain computer access and restore files.
Whilst the number of victims of this new virus is actually relatively low, some of them have indeed paid up. Aside from the apparent extortion, it is in fact VirLock’s parasitic and polymorphic traits that really make it stand out. Fortunately, the UK has thus far been unaffected, though security experts will have to work hard to keep it that way.
