Threat Management, Malware, Ransomware

VirLocker ransomware resurges, but a solution is offered

VirLocker ransomware is nasty, but a free solution is on offer, according to a blog post from Malwarebytes Labs.

Researchers at the anti-malware firm have been studying the polymorphic ransomware, which has been around for a number of years, but is in the midst of a resurgence.

The infection is quite extensive, they said, as the coding infects every file it touches on targeted machines. Which means, any file distributed from that point will carry the scourge to the next recipient, including backups, apps and EXEs. No file can be trusted once a single file is polluted with the malware, the researchers said.

But, there's hope in cleaning up the computer – and the strategy gets around the ransom demand.

The first step, Malwarebytes advised, is to NOT attempt to remove the malware just yet.

That's because this is a particularly malicious ransomware that corrupts every file it touches. It can add “Fake Code” to render files differently, it can enlist APIs in the main loader of the malware to escape section fingerprinting, and it can use alternative XOR and ROL seeds to render the encrypted content of the exe entirely different, the researchers explained.

The way it unpacks its decryption functions is also sophisticated in its capability to check whether a machine has already been infected and whether it has been paid. If it has been paid, the ransomware signs off "and simply decrypts and extracts the original file that it had embedded inside of itself, and closes."

On victim machines which have yet to pay, the ransomware screen will reappear.

"It has proven to be an amazing infection spreading method," the post, signed nscott, pointed out. But even when a victim pays up and believes the infection is cleared up, the ransomware is still operating undetected so that any files sent out will pass the ransomware on to the recipient.

The solution offered by Malwarebytes comes with a disclaimer, first advising anyone attempting a cleanup to isolate their machine from any other hardware or network, and then the firm clears itself of responsibility as the malware is so insidious.

But, there is a fix, and that involves tricking the malware into believing that the ransom demand has been met, so that files can be recovered. And that trick is the use of a 64-length string, consisting of all zeros, that dupes the ransomware into believing it has been paid and causes the Ransom Lock Screen to disappear.

A few more steps are necessary, including backing up files onto a USB drive and then wiping the entire machine. But files can be recovered, nscott said.

The challenge for security analysts is that the attackers alter their malware with different types of dynamic coding, obfuscation and encryption, Nathan Scott, technical product manager at Malwarebytes told SC Media on Thursday. For example, randomly including APIs, using a different seed in the polymorphic code, will always produce a different looking code inside, even when the same actions are performed, he said. "This is why behavioral detection these days are so important."

However, he added, the delivery method remains the same. "What is different in this version is the introduction of a more advanced polymorphic engine than the last variants, different encryption/obfuscation methods and different GUI, payment and decryption processes."

These changes, he added, make it much harder to detect this threat considering every time it touches a file it creates a new version of itself that has never before been seen. 

"What is worse, with the newer additions, previous fingerprinting that was used by security companies to be able to detect all variants is no longer possible now that nearly the whole EXE is ever-changing and polymorphic, Scott told SC.

The changes tell the researchers at Malwarebytes that these creators are above average in terms of protection and detection. But, Scott said, unexpectedly they seem to show a different side when their payment processing and decryption functions have been defeated for many of their variations now. "Operation Global 3 (a earlier variant of VirLocker) was also able to be cracked open without paying."

So far every version has had a "blip" that has allowed the ability to get their files back, he said. "It's more of the polymorphic engine improvements and self-replicating abilities that I'm interested in."

"Stay safe and protect yourself from ransomware," Scott concluded.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.