VirLock: The First Shape-shifter Among Ransomware


ESET research has analysed first case of ransomware that also acts as polymorphic parasitic virus

ESET, has analyzed new member of ransomware family detected by its telemetry under name Win32/VirLock. It is the first time ESET researchers have seen ransomware which locks screen of victims device and also acts as polymorphic parasitic virus infecting files on user’s device. To restore VirLock-infected files, victims can download and use ESET’s standalone cleaner.

Until now, ransomware has usually been categorized into two basic groups: LockScreens and Filecoders. In rare cases, ransomware takes a hybrid approach by both encrypting files and locking the screen by displaying a full screen message demanding ransom. An example of this behavior is Android/Simplocker – the first filecoder for Android ESET had detected earlier this year.

VirLock infects the files by morphing them into encrypted executables containing the virus body. Another part of the payload is responsible for the LockScreen functionality – with typical protective measures like shutting down explorer.exe, the Task Manager – and for displaying the ransom screen.

From a technical point of view, probably the most interesting part about VirLock is that the virus is polymorphic, meaning its body will be different for each infected file and also each time it’s executed. Moreover, our analysis has revealed multiple levels of encryption, which suggests that the malware author has truly played around with the code,” said Robert Lipovsky, Malware Researcher at ESET

For more information and details about VirLock please read the analysis by ESET researchers which is now available on WeLiveSecurity.com (link). Victims of the VirLock infection can download and use ESET’s standalone cleaner to restore their files.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: