New Self-Replicating Ransomware Poses Threat to Corporate Networks

By Wayne Rash  |  Posted 2014-12-08 Print this article Print
Ransomware Threat

NEWS ANALYSIS: A new strain of self-replicating, pervasive ransomware infects nearly anything throughout your network and then resists being removed.

Ransomware is already bad enough, but if you're careful, and quick, it can be eliminated from a computer without paying a ransom.

And, of course, virus software is controllable if you know what you're doing. But what about malware that contains characteristics of both? In other words, this is ransomware that spreads like a virus and it includes features that make removing it extremely difficult.

This new malware was tagged by SophosLabs researchers with the name W32/VirRnsm-A, and it's a doozy. The malware can spread by normal means, such as by opening an infected email or by going to a malware-infected Website.

Once the malware is downloaded, it begins by infecting data files, which could be anything from PDF files to JPG photo files. From a single computer, the infection can spread on its own throughout a corporate network.

After infecting a suitable data file, which could be almost anything, it wraps the infected file into an encrypted shell that also contains the decryption key, and gives itself an EXE file type. Then, it reattaches the original document file icon. If the computer user has file extensions turned on, it turns them off as a way to hide the fact that it changed from being a data file and then it gives itself a registry entry so it will restart reliably.

Finally, it launches two malware images into memory, each keeping an eye on the other, so that if one of them is shut down, it's restarted. Once it's done all of this, the malware launches a ransom notice and locks up the computer so it can't do anything else.

The next step is for the malware to infect every other data file it can find on the computer, on the mapped network and on removable drives. If even one of those infected files remains behind after a clean-up effort, it can re-infect the computer all over again.

Sounds bad, doesn't it? But it's about to get worse. According to Stu Sjouwerman, CEO of security awareness training company Knowbe4, the current version of the malware contains the decryption key, but he expects the next version to use an external key.

What this means is that a good, up-to-date antivirus or anti-malware program can remove the infection and unlock the file using the built-in decryption key. Soon it won't be able to do that.

"This is obviously version one since it carries the key in it," Sjouwerman said. "Version two will likely have the key external." But things are already changing. For now, your existing protection may still be able to handle this virus, but maybe not easily. "If you have anti-malware-antivirus, it will have a problem keeping up with this," he said.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel