New dangerous file locker and ransomware encountered – Win32/VirLock.J
We were unlucky enough to encounter the really nasty Win32/VirLock.J virus at a client we just started working with yesterday, on a system that was not protected by any antivirus. The really nasty virus packs three punches:
- It locks you out of your system, asking you to pay a ransom in Bitcoin – recovery from this is possible but not straight forward
- It encrypts your files and embeds the virus itself in those files – but the virus changes slightly, morphing and making it harder to detect
- When you try to view one of the encrypted files, the virus decrypts the file and then installs itself on your system – this means if you try to open the file on another computer, you’ll infect that computer as well.
This particular issue has clocked up around 7 hours of work to clean it up thus far .. and what makes it worse, the client does not yet have adequate backup in place on this system, which performs critical tasks at their retail store.
We don’t yet know how this virus made its way on to the system, but the suspects at the moment are USB key sharing, and running unpatched Java and Adobe Flash plugins in a web browser (this is so easy to prevent its not funny – we do it with computerCare automatically for you each day).
Please please please – if you have important data on your laptop or desktop, ensure you run top quality antivirus, regularly patch your applications and web browsers, and have an automated data backup system in place for the important data.
Additional information is available here: http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter
A file infected with VirLock will be embedded into a Win32 PE file and the .exe extension appended to its name, unless it was already an executable file. When it is executed, it decrypts the original file from within its body, drops it to the current directory and opens it. The decryption methods are described later in the article. This behavior clearly sets it apart from typical filecoders.
VirLock then installs itself by dropping two randomly named instances of itself (not copies – the virus is polymorphic, so every instance is unique) into the %userprofile% and %allusersprofile% directories and adds entries in the Run registry keys under HKCU and HKLM so that they are launched when Windows boots up. These instances, which only contain the virus body without a host file to decrypt, are then launched. More recent variants of VirLock also drop a third instance that is registered as a service. This approach serves as a simple self-defense mechanism for the malware – processes and files get restored when they’re terminated or deleted.