VirLocker, a nasty piece of ransomware that has been making the rounds for a few years, has recommenced its nefarious activity, Malwarebytes Labs researchers warn.
The one feature that sets this piece of polymorphic ransomware apart from other threats in the category is its ability to propagate through all the files it has touched. Specifically, VirLocker copies itself into the infected files, making it very easy for victims to accidentally leak it to their friends or to copy it to removable storage.
“Backups become infected, and even applications and EXE’s are not safe. Basically, when getting infected by VirLocker, you can no longer trust a single file that is on the affected machine,” Malwarebytes Labs’ Nathan Scott explains.
The main issue is to clean up the machine, because even the tools that the victim attempts to use for this process might be infected. What’s more, the malware attempts to infect newly downloaded files even before they are opened, so grabbing a disinfection tool from the web might not help either, the security researcher says.
VirLocker’s polymorphic abilities are the root cause of everyone’s headache, mainly because the malware can change a file differently every time it infects it: it can add fake code in certain sections to modify the file differently, can choose between multiple API’s in the main loader to avoid section fingerprinting, can use different XOR and ROL seeds to make the encrypted content of the exe entirely different, and more.
This makes the malware very difficult to detect, because infected files can’t be used in this regard, considering that any infected file is “practically different in many ways than any other version of itself:” the malware always seeds the encrypted code differently, and the stub can be different each creation.
“When the infection is executed, the FUD packer (which can be in some ways polymorphic itself) unpacks the first decryption function which is a mixture of Base64 and XOR and is always differently seeded. This new decryption function then decrypts another new decryption function that is a mixture of XOR/ROL and is always differently seeded. This decryption function then finally gets to the malicious code intended to run on the machine,” the security researcher notes.
The malware checks whether it has already infected the machine and if it was paid. If it has been paid, it switches to decrypting and extracting the original file that it had embedded inside of itself, then closes. If the user hasn’t paid, the ransomware opens the screen locker, if it’s not already open.
If the computer hasn’t been infected before, VirLocker opens the file embedded inside itself to trick the user into believing there’s no issue at all. In the background, however, the malware continues to infect the machine. Thus, the ransomware can spread without its author’s intervention: if a user sends an infected photo to a friend who opens it on their computer, the second machine is automatically infected.
“If anyone ever infected by VirLocker happened to send out any files after they were infected, thinking it was just a screen locker, those files will infect more people. This continuous loop of infection can cause VirLocker to spread like wildfire,” Scott notes.
Because extensions are turned off, users might not even see that the files on their machine have the .exe extension appended to it. What’s more, VirLocker adds itself to virtually every file on the computer, including media files and applications, and opening any of these files causes the malware to run again.
When trying to clean their machines, users are advised to first trick the malware into believing that the ransom has been paid, to avoid being infected once again. For that, when VirLock displays a screen lock, which usually impersonates some type of legal authority, users should enter a 64-length string in the “Transfer ID” text-box, and the ransomware will accept it as a real payment. This means that even typing in 64 zeros would do the trick.
After that, users should click on the “Pay Fine” button, to remove the ransom Lock Screen and to trick the malware into believing the ransom was paid. Next, users can start double-clicking on their infected files, as the malware will automatically extract the original files inside of them.
The security researchers recommend that users recover files that are important to them and save them on an external drive, while making sure that they avoid copying .exe files as well. Next, users should format the computer’s hard drive and re-install the operating system, for a fresh, clean start. “A complete reformat should be done, since nothing on the machine should be trusted after this infection,” Malwarebytes Labs says.
A few years back, ESET released a standalone cleaner for VirLock-infected files, available here.
Related: FireCrypt Ransomware Packs DDoS Code