Virobot: ransomware and botnet threat

Security researchers at Trend Micro have spotted a “more innovative” ransomware attack that uses Virobot, malware that possesses ransomware and botnet capabilities that affects users in the United States. 

“Once Virobot infects a machine, it also becomes part of a spam email botnet that distributes the ransomware to more victims,” according to Trend Micro.

Virobot is also not related to any known ransomware families as of yet.

Trend Micro first spotted Virobot in the wild on September 17th just last week and describes the infection chain process

“Once Virobot is downloaded to a machine, it will check the presence of registry keys (machine GUID and product key) to determine if the system should be encrypted.

“The ransomware then generates an encryption and decryption key via a cryptographic Random Number Generator. Together with the generated key, Virobot will then send the machine-gathered data to its C&C server via POST.”

Virobot will then start the encryption process. 

Botnet capability: 

“Virobot’s botnet capability is evidenced by its use of an infected machine’s Microsoft Outlook to send spam emails to the user’s contact list. Virobot will send a copy of itself or a malicious file downloaded from its C&C server.”

To further add to the uniqueness of this malware threat, Virobot also has keylogging features. 

Leave a Reply