New Self-Replicating Ransomware Poses Threat to Corporate Networks
NEWS ANALYSIS: A new strain of self-replicating, pervasive ransomware infects nearly anything throughout your network and then resists being removed.Ransomware is already bad enough, but if you're careful, and quick, it can be eliminated from a computer without paying a ransom. And, of course, virus software is controllable if you know what you're doing. But what about malware that contains characteristics of both? In other words, this is ransomware that spreads like a virus and it includes features that make removing it extremely difficult. This new malware was tagged by SophosLabs researchers with the name W32/VirRnsm-A, and it's a doozy. The malware can spread by normal means, such as by opening an infected email or by going to a malware-infected Website. Once the malware is downloaded, it begins by infecting data files, which could be anything from PDF files to JPG photo files. From a single computer, the infection can spread on its own throughout a corporate network.
After infecting a suitable data file, which could be almost anything, it wraps the infected file into an encrypted shell that also contains the decryption key, and gives itself an EXE file type. Then, it reattaches the original document file icon. If the computer user has file extensions turned on, it turns them off as a way to hide the fact that it changed from being a data file and then it gives itself a registry entry so it will restart reliably.