Virobot Ransomware Outbreak Is Enslaving PCs In Spammy, Keylogging Botnet
According to Trend Micro, it first discovered evidence of Virobot on September 17th, and found that it is similar in some respects to Locky. Once Virobot has found a willing host, it will then scan the registry to see if it has the go-ahead to begin encrypting files. If the coast is clear, it will begin a file encryption process using a cryptographic random number generator.
Once the encryption process has completed, data specific to the machine is sent to a command-and-control (C&C) server. It should be noted that Virobot includes a keylogging component (with data being sent back to the C&C server), and it can also take full control over Microsoft Outlook to join in on an email spamming campaign.
To ensure that Virobot is able to thrive, the spamming involves sending emails to people in your contact list (likely hoping that that they will be more likely to interact with your messages) with a copy of itself included in an attachment. Once the recipient accesses that attachment, the process starts itself all over again. Rinse and repeat.
Rather humorously, a ransom note is also displayed on an infected user's computer, but even though Virobot has primarily affected users the United States, it's written in French. It sounds to us like someone doesn't know its audience very well.
For now, it appears that Virobot's C&C server has been taken offline, which means that the ransomware is no longer able to encrypt files. However, there's no way of knowing if other Virobot mutations will start propagating in the coming days and weeks.