Notes from SophosLabs: Ransomware with a difference – this one is a true virus!

Ransomware with a difference

SophosLabs processes a lot of malware each day: hundreds of thousands of samples, in fact.

The vast majority of the samples we get aren’t truly new, of course.

They’re different only in the strictly technical sense that they aren’t bit-for-bit the same as samples we’ve encountered before, just as the names Paul Ducklin and PAUL DUCKLIN are not literally identical.

Indeed, most of the new samples that show up each day are merely minor variants that we already detect, or known malware that has been encrypted or packaged differently.

Even samples that are “a bit new” are often only variations on a theme, making them important and possibly interesting, but rarely intriguing.

But SophosLabs recently drew our attention to some new ransomware that was both interesting and intriguing.

Ransomware revisited

Ransomware is malware that locks you out of your computer, or your files, and demands money to let you back in.

As you are probably aware, two popular ways for crooks to implant ransomware on your computer are:

  • Sending urgent-sounding emails, such as fake invoices or failed courier delivery notices, to pressure you into opening a poisoned attachment.
  • Using zombie malware already on your computer to download and run the ransomware program and take over your system.

But this new ransomware isn’t just malware, it’s a virus – a true virus; a self-replicating parasite that spreads of its own accord.

Once it gets into your network, even if it infects only a single computer, it may soon end up all over the place, even if no-one opens dodgy attachments or already has zombie malware infections waiting to be exploited.

A parasitic virus, in contrast to a worm, doesn’t spread merely by making copies of itself.

Parasitics find other programs and modify them to include a copy of the virus, using the original file as a host or carrier.

Worms versus parasitics

Most worms leave you with one, or perhaps a handful, of infected files that weren’t there before and need to be deleted.

Parasitic viruses, in contrast, may leave you with hundreds of infected files on each computer, or thousands, or more.

If you leave even one of those infected files behind after a clean-up, the infection will start up all over again.

Worse still, the infected files can’t just be deleted, because they are your own files that were there before the infection started.

That makes cleanup much trickier.

Disinfecting a file infected with a parasitic virus is like having a jar of ointment in which a fly has landed, but where you aren’t allowed just to throw the whole jar way.

You need to extract the fly and leave the rest of the ointment fit to use.

That’s the interesting part of what we’re calling the VirRansom threat, which is detcted and blocked by Sophos as W32/VirRnsm-A.

Infecting data files

The intriguing part of VirRansom is that as well as infecting your EXE (program) files, this new virus “infects” data files, too, such as ZIPSs, DOCs and JPGs.

Data files are encrypted, wrapped up into an EXE shell, and renamed so they end in .exe.

In a file viewer such as Explorer, you don’t see the infected extension .exe by default (and anyway the virus turns extensions off if you had them on).

Also, the virus sets the icon of the infected file to whatever it was before.

That means you could be excused for opening an infected file by mistake, because it looks as you’d expect.

And if you open an EXE file under the impression that it’s an image or a document, what you actually do it to execute it instead.

So, if you inadvertently open up an infected file, the virus runs, and then it:

  • Installs itself permanently on your hard disk (using random filenames unique to each infection).
  • Sets a registry entry so it will run again after you logout or reboot.
  • Activates itself by loading various processes into memory.

Then, it unscrambles the wrapped-up file, which then loads as usual, as though nothing bad just happened.

Loosely speaking, double-clicking an “infected” image or document thus serves as a self-disinfecting malware spreader, and leaves you none the wiser.

On course, if you try to open an infected data file directly from an application such as a photo editor, it won’t load because the image data is still scrambled inside it.

You can liberate the data in the file, but only by opening the file directly, which runs the malware first: Catch 22.

Get ready to pay the money

Once you’re infected, the malware:

  • Goes looking for any other files accessible from your account that it can infect. This includes files on network and removable drives.
  • Runs two malware processes that keep an eye on each other. Each quickly restarts the other if it is killed off, so that knocking the virus out of memory can’t easily be done with standard tools for stopping programs.
  • Waits a while and then pops up a full-screen pay page to demand its ransom. This takes over your computer, preventing you from running or accessing other programs,

Interestingly, this virus is a sort of ransomware hybrid.

It locks your computer, like the Reveton family of malware, with the intention of leaving you unable to do anything else until you pay up.

It scrambles your files, like the CryptoLocker family of malware, but the virus is able to unlock your files even before you pay anything.

So the lock screen is the primary driver for getting you to pay.

The file scrambling is a secondary annoyance – a rather serious annoyance, we admit – that keeps you out of your files unless you open then directly, which then guarantees that you will become, and remain, infected.

The unlock price is £150, payable in Bitcoins only.

If you are offline when the pay screen pops up, you’ll see a generic warning.

If the virus is able to get through to one of its control servers, some basic customisation will be done, based on your location.

Fortunately, because the encryption is only a secondary component of the malware, and because the malware itself retains the keys so it can unlock the files it has scrambled automatically, Sophos Anti-Virus can decrypt them too, as part of cleaning up the malware.

So you don’t need to pay up.

Unfortunately, because this is a fully-fledged virus, and can spread across your network, doing a rush-job on clean-up can easily lead to reinfection.

With pure-play cryptoransomware like CryptoLocker, files that you can’t or don’t decrypt are garbage forever, but harmless garbage.

With VirRansom, files that you don’t decrypt are still recoverable, but also still actively infectious.

For more information

Sophos security expert Chester Wisniewski joins Paul Ducklin in an informative and educational podcast that explains how to deal with ransomware:

(Audio player above not working? Download, or listen on Soundcloud.)

Kill malware with the free Sophos Virus Removal Tool

This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.

Click to go to download page...