This weird ransomware strain spreads like a virus in the cloud

Virlock Ransomware Screenshot

Here is a ransomware horror story for you...

An obscure 2-year old ransomware strain called Virlock has a nasty feature: it is capable of stealthily spreading itself via cloud storage and collaboration apps. That way just one infected user can unknowingly spread the infection further across your network, Netskope researchers discovered. Virlock is borrowing from a wide range of threat techniques.

How does it work?

Virlock Polymorphic Code Ransomware normally spreads through email phishing attacks, exploit kits, removable drives or external network shares. However, Virlock is a weird family of ransomware that not only encrypts files but also converts them into a polymorphic file infector just like a virus. Apart from infecting the usual documents and image related files, it also infects binary files. Yikes.

Virlock has effectively weaponized every data file it encrypts, converting each one into a propagation vehicle for the malware itself.

Very clever -- and efficient. Why let encrypted data files sit around in an inert state on the compromised PC when they can be put to good use to spread the fun to other users through file sharing schemes of one sort or another?

An infected Virlock file is a sandwich of polymorphic code, malware code and embedded clean code, see the graphic. Netskope malware researchers illustrated how Virlock can become a dangerous cloud infection because files can be spread through cloud sync and shared via cloud storage and collaboration apps.

Trend Micro claims that Virlock can actually be classified as a polymorphic worm, but that doesn't seem correct as it's not completely autonomous and self-propagating. It really requires the actions of your users or automated file sharing schemes to propagate. A hybrid "Ransomware-Polymorphic virus" is a more correct classification.

Tweet #CyberAware

Here is an example of how it spreads

In short: User A and User B are collaborating through the cloud storage app Box, using a folder called "Important". Both users have some of the files within the folder synced to their own machine.

User A falls for a social engineering attack and gets infected with Virlock ransomware on their own machine, encrypting all their files and at the same time turning them into new Virlock infector files, including the files which are synced on Box. So, Virlock also spreads to the cloud folder and infects the files stored there, which in turn get synced to User B's machine.

Now, User B clicks on any of the files in the shared folder on their box, the infected Virlock file is executed and the rest of the files on the machine of User B become infected and in their turn becoming Virlock file infectors just like a virus. Here are the blow-by-blow screenshots, courtesy Netskope.

Virlock Ransomware 'Important' File

This “Important” folder has few files that both User A and User B have synced on their respective machines as shown here:

Virlock Ransomware Infection

User A gets infected with Virlock ransomware. User A’s files are all encrypted and turn in to Virlock infector files. As part of encrypting all the files on User A’s machine, the files within the Box Sync “Important” folder are also encrypted and turn into Virlock infector files as shown here:

The Box sync client on User A’s machine will sync the files to the cloud as shown here:

As the “Important” folder is also shared with User B, the files within “Important” folder are synced to User B’s machine Box sync folder as shown here:

The above scenario is not just limited to User A and User B and will extend to all the users of an enterprise who are collaborating with each other. Consider the User-File collaboration graph below of a typical enterprise with users (in black dots) and the files (in blue dots). All the users within the red boundary might get infected with Virlock ransomware due to fan-out effect within minutes. User File Collaboration Graph

And another weird twist, it claims to be an FBI fine for piracy

Like all other ransomware strains, Virlock asks the victim for a payment in Bitcoin in order to release their machine. However, unlike modern strains such as Cerber or Locky that blatantly stated the victim's files have been taken hostage, Virlock positions itself as an anti-piracy warning from the FBI.

The claim is that pirated software has been found on their machine and threatens them with prison and a $250,000 fine if they don't pay a $250 'first-time offender' fine. This is a tried-and-true social engineering tactic that has been used by cybercriminals for years in an effort to spook victims into paying up quickly.

Silver lining: Virlock "encryption" is not technically accurate

Netskope is claiming that Virlock "encrypts" files before infecting them with its polymorphic code. "Encrypts," however, is a bit of a strong word, and not really technically accurate. Virlock uses a so-called XOR and XOR-ROL scheme to "scramble" or "obfuscate" files.

Both procedures are reversible (if you know what you're dealing with). Real crypto-ransomware uses a combination of AES and RSA crypto algorithms to truly encrypt your files -- and there is no reversing of files encrypted that way unless the bad guys leave the private key lying around somewhere by mistake ( it has happened).

What this means is that the real task you have in remediating files taken hostage by Virlock is the job of DISINFECTION. Once the files are disinfected, it's a process to reverse the XOR/XOR-ROL obfuscation and recover the original files. In fact, there are Virlock disinfectors available -- see an example at ESET.

The Virlock bad guys have one big problem: reinfection

The bad guys using Virlock as a ransomware vehicle have a problem, the very strength of this ransomware strain (potentially massive propagation) also becomes its weak point.

Organizations pay Bitcoin ransoms only when they have some confidence that they're going to get their files back. If Virlock has spread all over their network, how can victims be sure that the file recovery process is going to work reliably and completely?

Miss one file on some share that most admins forgot about? Sorry, you're at risk for a reinfection. And that doesn't make for satisfied ransomware customers (who are purchasing remediation and recovery).

So far as we can tell, Netskope has not really uncovered a new Virlock version with major new functionality. Now, if this new version had the capabilities of a polymorphic network worm (as opposed to file infecting virus), that would be breaking news. However, this threat still relies on your users and automated file sharing to propagate.

What Netskope has done here is lay out a scenario that should be of concern to any network admin, and another excellent piece of ammo to start new-school security awareness training which includes frequent simulated phishing attacks.

Here is one great way to prevent Virlock from spreading

You need a ransomware/virus infection spreading on your network like a hole in the head. If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know really need to be done, step employees through new-school security awareness training. It will help you prevent this kind of disaster or at least make it very hard for the bad guys to social engineer your employees.

Find out how affordable this is for your organization. Get a quote now so you can deploy in Q4: