Viborot ransomware comes with a botnet

News by Robert Abel

Researchers discovered a ransomware with Botnet capabilities representing threat actors diversifying attack methods to raise the ante.

Researchers discovered a ransomware with Botnet capabilities representing threat actors diversifying attack methods to raise the ante.

Trend Micro researchers spotted the ransomware dubbed "Viborot" targeting users in the United States that once infected, the machine would become part of a spam email botnet that sought out new ransomware victims, according to a 21 September blog post.

The malware even uses the infected Machine’s Microsoft Outlook to send spam emails to the user’s contact list and was first observed in the wild on 17 September, 2018 just a week after researcher’s spotted PyLocky ransomware imitating Locky.

"Virobot was first observed in the wild on September 17, 2018, seven days after we analysed a ransomware variant that imitates the notorious Locky ransomware," researchers said in the post. "Once Virobot is downloaded to a machine, it will check the presence of registry keys (machine GUID and product key) to determine if the system should be encrypted."

Viborot then generates an encryption and decryption key via a cryptographic Random Number Generator and will then display the ransom note. Researchers noted that the ransom note was written in French despite it primarily affecting US targets at the time.

In addition, Viborot sported a keylogging feature, and connects back to its C&C server to send logged key strokes from an infected machine, once connected to the server, the malware may download files possibly another malware and executes it using PowerShell.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews