VirLock, the first shapeshifting ransomware
By Digital News Asia January 5, 2015
- ESET analyses ransomware that also acts as polymorphic parasitic virus
- VirLock morphs files into encrypted executables containing the virus body
ESET said it has analysed a new member of the ransomware family detected by its telemetry under the name Win32/VirLock.
It is the first time ESET researchers have seen ransomware which locks the screen of the victim’s device and also acts as polymorphic parasitic virus infecting files on user’s device, the Bratislava, Slovakia-based IT security firm said in a statement.
Until now, ransomware has usually been categorised into two basic groups: LockScreens and Filecoders.
In rare cases, ransomware takes a hybrid approach by both encrypting files and locking screens by displaying a full screen message demanding ransom. An example of this behaviour is Android/Simplocker, the first filecoder for Android ESET had detected earlier this year.
VirLock infects the files by morphing them into encrypted executables containing the virus body. Another part of the payload is responsible for the LockScreen functionality – with typical protective measures like shutting down explorer.exe, the Task Manager – and for displaying the ransom screen.
“From a technical point of view, probably the most interesting part about VirLock is that the virus is polymorphic, meaning its body will be different for each infected file and also each time it’s executed,” said Robert Lipovsky, malware researcher at ESET.
“Moreover, our analysis has revealed multiple levels of encryption, which suggests that the malware author has truly played around with the code,” he added.
For more information and details about VirLock, read the analysis by ESET researchers here. Victims of the VirLock infection can download and use ESET’s standalone cleaner to restore their files, the company said.
Fortinet warns of ransomware targeting mobile devices
40,000 systems infected by TorrentLocker ransomware
Sony Pictures hack the ‘perfect APT story,’ says ESET
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.