Virobot Ransomware Outbreak Is Enslaving PCs In Spammy, Keylogging Botnet

Just when we thought things had cooled down a bit in the botnet space, we're getting word of a new outbreak that it affecting PC users in the United States. Virobot has multi-pronged attack vector, and can not only place a victim's computer into a zombie botnet, but it also has a ransomware component.

According to Trend Micro, it first discovered evidence of Virobot on September 17th, and found that it is similar in some respects to Locky. Once Virobot has found a willing host, it will then scan the registry to see if it has the go-ahead to begin encrypting files. If the coast is clear, it will begin a file encryption process using a cryptographic random number generator.


Once the encryption process has completed, data specific to the machine is sent to a command-and-control (C&C) server. It should be noted that Virobot includes a keylogging component (with data being sent back to the C&C server), and it can also take full control over Microsoft Outlook to join in on an email spamming campaign.

To ensure that Virobot is able to thrive, the spamming involves sending emails to people in your contact list (likely hoping that that they will be more likely to interact with your messages) with a copy of itself included in an attachment. Once the recipient accesses that attachment, the process starts itself all over again. Rinse and repeat.

Rather humorously, a ransom note is also displayed on an infected user's computer, but even though Virobot has primarily affected users the United States, it's written in French. It sounds to us like someone doesn't know its audience very well.

For now, it appears that Virobot's C&C server has been taken offline, which means that the ransomware is no longer able to encrypt files. However, there's no way of knowing if other Virobot mutations will start propagating in the coming days and weeks.