Trendlabs says the ransomware is currently being sent through spam emails on Microsoft Outlook. With botnet capabilities, the researchers say Virobot has the ability to quickly infiltrate machines through a successful email attack. If it is activated by an unwitting user, the Virobot infection are distributed across a contact list in Microsoft Outlook. This is an effective and rapid distribution technique that makes this ransomware potentially dangerous. As with most ransomware attacks, Virobot relies on the user making the mistake of actively downloading its. If that happens, it can infect a target machine, take control of systems of all aspects and then demand a ransom for unlocking. Aside from its ransom techniques, the botnet attack also features a keylogger. This means the bad actor can observe keystrokes on an infected machine and steal user data. Trendlabs says the attack is not associated with any other ransomware type: “Virobot was first observed in the wild on September 17, 2018, seven days after we analyzed a ransomware variant that imitates the notorious Locky ransomware. Once Virobot is downloaded to a machine, it will check the presence of registry keys (machine GUID and product key) to determine if the system should be encrypted. The ransomware then generates an encryption and decryption key via a cryptographic Random Number Generator. Together with the generated key, Virobot will then send the machine-gathered data to its C&C server via POST.”
Prevention
As usual, the best mitigation is to avoid opening emails that are either from an unknown or untrusted source. Furthermore, avoid opening or downloading any attachments if you are unsure of the origin. While this advice is sound for all emails, it is specifically important for Microsoft Outlook if you want to avoid Virobot.