ESET research has analysed first case of ransomware that also acts as polymorphic parasitic virus
ESET, has analyzed new member of ransomware family detected by its telemetry under name Win32/VirLock. It is the first time ESET researchers have seen ransomware which locks screen of victims device and also acts as polymorphic parasitic virus infecting files on user’s device. To restore VirLock-infected files, victims can download and use ESET’s standalone cleaner.
Until now, ransomware has usually been categorized into two basic groups: LockScreens and Filecoders. In rare cases, ransomware takes a hybrid approach by both encrypting files and locking the screen by displaying a full screen message demanding ransom. An example of this behavior is Android/Simplocker – the first filecoder for Android ESET had detected earlier this year.
VirLock infects the files by morphing them into encrypted executables containing the virus body. Another part of the payload is responsible for the LockScreen functionality – with typical protective measures like shutting down explorer.exe, the Task Manager – and for displaying the ransom screen.
“From a technical point of view, probably the most interesting part about VirLock is that the virus is polymorphic, meaning its body will be different for each infected file and also each time it’s executed. Moreover, our analysis has revealed multiple levels of encryption, which suggests that the malware author has truly played around with the code,” said Robert Lipovsky, Malware Researcher atESET