A new step in the evolution of ransomware documented by security researchers who discovered a sample of the malware that encrypts files on the storage drive and creates unique clones of itself due to its polymorphic characteristics.
The new threat has been named VirRansom and VirLock by researchers from Sophos and ESET, respectively. This crypto-malware, unlike any of its kind, allows the files to be decrypted, but this will not stop blocking the victim's computer screen. In this way he causes the victim to pay.
Just the Ransomware Run on the victim's computer is embedded in a portable executable Portable Executable (PE) and adds the EXE extension.
It is noteworthy that malware scrambles the files it affects, but also decrypts it when it is executed.
Once the user runs the infected file, the virus automatically starts spreading to the system. ESET researchers report that in two cases it landed on "% userprofile%" and "% AllUsersProfile%".
According to analysis των ερευνητών, το VirLock μπορεί να μολύνει έγγραφα (DOC, XLS, PDF, PPT), εικόνες (PNG, GIF, BMP, PSD, JPG), αρχεία ήχου (MP3), αρχεία video (MPG), but also compressed files (RAR, ZIP).
It looks like at the moment there are at least six variants of the malware running on the Internet.
If VirLock / Ransom malware does not encrypt victim files as the other crypto-malware does, it locks the computer screen to achieve its target.
Όταν ο υπολογιστής είναι σε κατάσταση κλειδώματος, το κακόβουλο λογισμικό απενεργοποιεί το explorer.exe, εμποδίζει το άνοιγμα της Διαχείρισης work αλλά και άλλες διαδικασίες που θα μπορούσαν να βοηθήσουν στην παράκαμψη του, αναφέρουν οι της ESET.
The message about the ransom threatens classically with legal consequences, for some alleged copyright violations, and asks for 216 in bitcoins.
ESET has developed one self-cleaning cleaner for this particular threat, while Sophos also provides one free tool designed for the same reason.