The latest version of Virlock ransomware has hit the scene, with the brand-new capability of infecting every file it comes into contact with—for a potentially disastrous, virus-like propagation technique.
Ransomware typically propagates via email, exploit kits, removable drives or external network shares. In contrast, latest variant of Virlock ransomware typically arrives via external shares or USB sticks—but from there, it can spread internally.
According to Netskope, Virlock is a special case of ransomware that encrypts files but also infects them, thereby making it a polymorphic file infector ransomware. As a result, any user who subsequently opens the infected file also becomes infected, causing all the files to become to encrypted and infected. This can cause a “fan-out” effect that could be devastating to an enterprise customer.
For instance, if it finds its way into an enterprise that enables cloud storage apps, this would allow Virlock to deliver copies of itself on the fly.
“The Virlock file infector can become a dangerous weapon in the cloud context especially due to inadvertent spreading of infected files through cloud sync and share via cloud storage and collaboration apps,” the researchers explained, in a blog. “A single user infected with Virlock ransomware can infect the rest of the enterprise by way of existing shared/collaborated files.”
An infected Virlock file contains polymorphic code, malware code and embedded clean code. When the Virlock-infected file is shared with another user, and the new user executes that file, the entire process repeats and all the files belonging to the new user are encrypted. Each of these encrypted files is again a file infector and can infect other benign users.
This can go particularly viral in a cloud environment.
“Let’s say User A and User B are collaborating on a shared a folder with the name, ‘Important',” Netskope said. “This folder has few files that both User A and User B have synced on their respective machines. User A gets infected with Virlock ransomware. User A’s files are all encrypted and turn into Virlock infector files. As part of encrypting all the files on User A’s machine, the files within the Box Sync Important folder are also encrypted and turn into Virlock infector files.”
And it gets worse from there: “When User B clicks on any of the files in the Important folder, the Virlock file infector is executed and the rest of the files on User B’s machine are encrypted and also turn into Virlock file infectors. The scenario is not just limited to User A and User B and will extend to all the users of an enterprise who are collaborating with each other.”
To protect their networks, Netskope said that enterprises can take several steps, including: Administrators should regularly back up critical data in a cloud account; on managed devices, administrators should enable the option to view known file extension in Windows; administrators should advise their uses to avoid executing any files with dual extensions unless they are very sure that the files are benign; enterprise users should avoid opening untrusted email attachments regardless of their extension or filename; and, enterprise users should always keep their systems and antivirus updated with the latest releases and patches.
Photo © Lightspring