Trend Labs documents a new Ransomware attack that is designed to spread as both a file infector and worm for an infected computer.  As documented, it can spread rapidly in a network setting.  It is noted that code stubs are present for incomplete coded routines and it is believed that future variants will be even more advanced in their capabilities.

Ransomware has become one of the biggest problems for end users are as of late. In the past months alone, we have reported on several variants of both ransomware and crypto-ransomware, each with their own “unique” routines. We recently came across one malware family, detected as PE_VIRLOCK, as that not only locks the computer screen but also infects files—a first for ransomware.  VIRLOCK variants may arrive bundled with other malware in infected computers. We have even seen one VIRLOCK variant in the CARBANAK/ANUNAK targeted attack campaign.

As mentioned, VIRLOCK also has file-infecting routines. Once in the computer, PE_VIRLOCK checks for specific file types, including the following:

  • Executable files (*.exe)
  • Common Document files (*.doc, *.xls, *.pdf, *.ppt, *.mdb)
  • Archive files (*.zip, *.rar)
  • Audio/Video files (*.mp3, *.mpg, *.wma)
  • Image files (*.png, *.gif, *.bmp, *.jpg, *.jpeg, *.psd)
  • Certificate files (*.p12, *.cer, *.crt, *.p7b, *.pfx, *.pem)

VIRLOCK does not use any of those methods to infect systems. Instead, its very nature is more damaging: a polymorphic worm with file infecting capabilities. It bears stressing that file infectors and worms are two malware types that can effectively and efficiently spread malware—and VIRLOCK can be considered both.

If the infected system is not properly cleaned, even the presence of a single infected file will trigger the infection chain all over again. Once VIRLOCK gets into a system network, it will be all over the place; it can infect a whole network system without notice.