VirRansom – New Hybrid Ransomware

Posted on by Darril

VirRansom is a new type of ransomware that replicates like a virus.

The Internet Crime Complaint Center (IC3) has issued an alert warning that U.S. individuals and businesses are still at risk of CryptoWall ransomware fraud. Scam operators use ransomware—a type of malicious software—to infect a device and restrict access until a ransom fee is paid­­. Individuals and organizations are discouraged from paying the ransom, as this does not guarantee files will be released.

US-CERT encourages users and administrators to review the IC3 Alert for details and refer to the US-CERT Alert TA-295A for information on crypto ransomware.

Ransomware

Ransomware is bad enough on its own. It’s a type of Trojan that allows attackers to take control of the user’s computer. Attackers then demand the user pay a ransom to get control of their computer again.

A common way criminals deliver ransomware is via a drive-by download – a type of Trojan horse. Users visit a malicious website and the website downloads the malware to the user’s system. Some ransomware is embedded in other software similar to a typical Trojan horse. Two ransomware viruses that have attacked many people are the Police Virus and CryptoLocker.

Here are some screenshots of some known ransomware.

RansomwareCryptolocker
VirRansom a new type of ransomwareVirRansom a hybrid
   This one accuses you of illegally downloading pirated materials. If you have your webcam enabled, it will have captured pictures or video of you displayed in the window.   Cryptolocker doesn’t bother accusing you of illegal activities. Just as a mobster might kidnap a family member and demand ransom, Cryptolocker kidnaps files on your computer and demands a ransom.

VirRansom

However, criminals have gotten more aggressive with ransomware and have combined virus capabilities with it creating a new hybrid which SophosLabs has tagged as VirRansom.

But this new ransomware isn’t just malware, it’s a virus – a true virus; a self-replicating parasite that spreads of its own accord.

Once it gets into your network, even if it infects only a single computer, it may soon end up all over the place, even if no-one opens dodgy attachments or already has zombie malware infections waiting to be exploited.

A parasitic virus, in contrast to a worm, doesn’t spread merely by making copies of itself.

Parasitics find other programs and modify them to include a copy of the virus, using the original file as a host or carrier.

In other words, if a single user in the network engages in unsafe computing practices causing his computer to become infected, it will quickly spread throughout the network. It includes worm components to spread across the network. When it reaches another computer, it uses virus capabilities to infect computers on that computer. In many instances, it will infect hundreds or even thousands of files on the infected computer.

VirRansom Good News and Bad News

KnowBe4, an IT security company, posted an informative article on their blog about this hybrid. In it, the included some good news and some bad news.

The good news: The file encryption is not as advanced as CryptoWall, as the key to decrypt the files is contained in the malware itself. Your antivirus should soon be able to decrypt the files and restore them, unless the bad guys are constantly changing the encryption keys in which case it may take a day or more before your AV catches up.

The bad news: This is a full-fledged virus which will spread across your network and doing a less than perfect job on the disinfection can easily lead to reinfection of your whole network.

And the bad news is consistent. The good guys find ways to protect systems from malware and the bad guys find ways to circumvent these protections. It’s a battle that we’ll be fighting for the foreseeable future.

VirRansom and Safe Computing Habits

One of the best ways to prevent the first computer from becoming infected is to practice basic safe computing habits. The following list was derived from the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide:

  • Don’t click on links within emails from unknown sources (no matter how curious you might be).
  • Don’t open attachments from unknown sources ( malware can be embedded into many different files, such as Portable Document Format (PDF) files, Word documents, Zip files, and more).
  • Be wary of free downloads from the Internet (Trojans entice you with something free but include malware).
  • Limit information you post on social media sites (criminals use this to answer password reset questions).
  • Back up your data regularly (unless you’re willing to see it disappear forever).
  • Keep your computer up to date with current patches (but beware of zero-day exploits).
  • Keep antivirus software up to date (but don’t depend on it to catch everything).

Other Security+ Study Resources

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

CompTIA Security+ Get Certified Get Ahead: SY0-501 Study Guide

Subscribe To Our Newsletter

Join our mailing list and get a free excerpt of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide.  This excerpt includes the introduction and Chapter 1. 

You have Successfully Subscribed!