Viro Botnet Malware Reading Time: 3 minutes

The latest, strangest new ransomware appears to come from France, or at least from French speaking cyber attackers.

If your Windows PC has been successfully infected by the brand new Viro botnet ransomware, you will see this ransom note no matter where in le monde you are. Tout le monde is a possible target:

Viro Botnet Malware

Vos fichiers personnels ont été chiffré.

Pour les déchiffrer, evonyez 500€ de bitcoins à cette adresse: xxxxx

Toute tentative de destruction de ce logiciel entraïnera la destruction da la clé de déchiffrement.

Toute tentative de déchiffrement avec une clé erronée entraïnera la perte définitive de vos fichiers.

Vous avez 72 heures pour effectuer le paiement. Après quoi, la clé de déchiffrement sera supprimée.

I understand French seulement un peu, so I’ll attempt an imperfect translation. I learned that les fichiers are files, and chiffré is encryption, so let’s give it a go:

Your personal files have become encrypted.

To decrypt them, send €500 worth of Bitcoin to this address: xxxxx

All attempts to destroy the software will lead to the destruction of the decryption key.

All attempts at decryption with the wrong key will lead to the loss of your files.

You have 72 hours to make your payment. After that, the decryption key will be deleted.

Contrary to popular belief, most Canadians aren’t English-French bilingual, and although my French is a little better than most Anglo Canadians, it’s still a bit weak. Oh well – c’est la vie.

Instances of ransomware are becoming a little bit less frequent in 2018 than in 2017. But many new ransomware strains are getting really, really weird. Viro botnet malware is an excellent example.

The Viro botnet attacks seen so far infect a user’s Windows machine through a malicious email attachment. If the user executes the attachment, a random encryption and decryption key is generated, which is also sent to the Viro command and control (C&C) servers.

The Viro malware then looks for two Windows registry keys, “ProductId” at “SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion” and “MachineGuid” at “SOFTWARE\\Microsoft\\Cryptography.” If both are found, the malware will then use an RSA cipher to encrypt all files with the following extensions

  • ASP
  • ASPX
  • CSV
  • DOC
  • DOCX
  • HTML
  • JPG
  • MDB
  • ODT
  • PDF
  • PHP
  • PNG
  • PPT
  • PPTX
  • PSD
    • SLN
    • SQL
    • SWP
    • TXT
    • XLS
    • XLSX
    • XML

The list covers most important documents and media file types, but nothing that would prevent the user from using Windows in a basic way. However, losing your documents is surely enough to compel most people to pay the ransome to the cyber attacker, but not enough to completely cripple them. There may be a method to the cyber attacker’s madness.

The ransom note will appear on the user’s screen when the encryption process commences. Then, the machine also becomes a part of the Viro botnet, sending emails with malicious attachments to other possible targets.

In the malware’s code, researchers have also found a keylogger which sends the logged keystrokes back to the C&C servers. They also found that infected targets may download more malware from the C&C servers and execute it through Windows PowerShell.

It appears that the cyber attackers have much greater ambition for Viro than just a botnet that transmits a unique strain of ransomware. The malware probably is still in development, and the PowerShell exploits could be used to completely control victims’ computers.

There’s no news yet as to whether or not paying the ransom will actually decrypt your files. Either way, never ever open an email attachment from an unfamiliar sender! Or check out Comodo Advanced Endpoint Protection, that will render even Viro harmless!

Related Resources:

Website Malware Scanner