Skip to main content
Articles

Viro Botnet uses spam and keylogging features to distribute ransomware

By October 5, 2018#!28Thu, 28 Feb 2019 10:40:07 -0300p0728#28Thu, 28 Feb 2019 10:40:07 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28 28am28am-28Thu, 28 Feb 2019 10:40:07 -0300p10America/Sao_Paulo2828America/Sao_Paulox282019Thu, 28 Feb 2019 10:40:07 -03004010402amThursday=904#!28Thu, 28 Feb 2019 10:40:07 -0300pAmerica/Sao_Paulo2#February 28th, 2019#!28Thu, 28 Feb 2019 10:40:07 -0300p0728#/28Thu, 28 Feb 2019 10:40:07 -0300p-10America/Sao_Paulo2828America/Sao_Paulox28#!28Thu, 28 Feb 2019 10:40:07 -0300pAmerica/Sao_Paulo2#No Comments

IBM SecurityIntelligence & #8211; October 4, 2018 @ 9:40 AM

Security researchers observed a new attack campaign in which the Vnet botnet infects devices with ransomware and then uses these compromised machines to infect more victims.

Once downloaded, according to Trend Micro, Viro quickly generates encryption and decryption keys with a random number generator after scanning the infected device for the correct registry. Interestingly, although the botnet is aimed primarily at Americans, the attack displays a ransom note in French after encrypting files using RSA.

Viro made headlines when he was discovered in the wild in late 2017.

While early examples of ransomware simply hold the data hostage until victims are paid, the recent Viro attacks involve additional features, such as penetrating users' email systems and contact lists to spam other potential victims.

Its keylogging capabilities, meanwhile, allow cybercriminals to gather other data, which is then sent back to a command and control (C&C) server to download other data. malware or other files. The researchers speculated that Viro may be based on a variant of Locky that made headlines throughout 2017.

On the plus side, the researchers noted that Viro's C&C server has been down since the first time they observed the attacks, meaning that it will no longer be possible to encrypt files even if they fall on the victim's machine.

How to Avoid Botnet-Generated Ransomware Attacks

Ransomware attacks like Viro usually start when someone innocently clicks on an email attachment that triggers the download process. IBM experts advise security teams to restrict the execution of temporary folder programs where malware files normally reside. In general, this is just a matter of leveraging common software restriction policies (GPOs) and Group Policy Objects (GPOs) that are already available in security tools, which would block cybercriminals' attempts to copy malicious payloads. of a temporary folder.

Threat agents can also target ransomware in the AppData or Local AppData folders. Organizations can keep ransomware at bay by disabling the ability to run executables in these areas.

Source: Trend Micro

 

About [SAFEWAY]

THE [SAFEWAY] is a widely recognized company as a provider of premium information security and cybersecurity solutions. From its extensive portfolio, we highlight several solutions, including those based on platforms:

● Archer da RSA Security, considered by the institutes Gartner and Forrester and by the market itself, the most complete process integration solution for Governance, Risk Management, Compliance and Business Continuity Management;

● [SAFEWAY] Security Tower, supported by IBM Qradar (Watson Technology), tailored to each organization in their security and cyber defense management needs.

● And others, involving technologies ImpervaThalesBeyondTrustManlyWatchGuard Technologies.

We await your contact: [email protected]

Leave a Reply