Viro Botnet Ransomware Targets the United States

Delaware, USA – September 26, 2018 — The recently discovered XBash malware used by the Iron cybergang has acquired a follower – Viro Botnet Ransomware. This is a completely new ransomware strain discovered by researchers from Trend Micro. The first cases of infection occurred in the past Monday. After getting into the system, Viro botnet checks for the presence of specific registry keys and collects information about the system. If the required keys are present, the malware sends the gathered data along with the decryption key to the command and control server and starts encrypting the data. The list of file extensions to encrypt is small and includes mostly documents and images. After the process is complete, ransomware displays ransom note written in French. Viro botnet has the capabilities of keylogger and is capable of downloading other malicious files from the attackers’ server and executing them via PowerShell. Another botnet function is to use Microsoft Outlook to send a copy of the Viro botnet or other malware downloaded from the attackers’ server to users from the victim’s contact list.

Analysis of ransomware scene shows that, despite the fact that the emergence of new families of viruses has slowed down, the number of attacks and the capabilities of new modifications are increasing. The McAfee Labs report states that the number of ransomware samples increased 57 percent over the last four quarters. Attacks on organizations are on the rise: last week it became known about targeted attacks on the Bristol Airport and Arran Brewery. To detect attacks in the early stages, you can use your SIEM with Ransomware Hunter rule pack: https://my.socprime.com/en/integrations/ransomware-hunter-arcsight