Viro Botnet Malware
Viro botnet was first observed in the wild on September 17, 2018, seven days after TrendMicro analyzed a ransomware variant that imitates the notorious Locky ransomware. Once Viro botnet is downloaded to a machine, it will check the presence of registry keys (machine GUID and product key) to determine if the system should be encrypted.
This latest threat was identified Trend Micro who said that this a new threat that is still in development and appears to have been created from scratch. The code is dissimilar to other known ransomware variants and ransomware families.
The attacker’s command server was initially active, it has now been taken down so any further devices that are infected will not have data encrypted. Connection to the C2 server is necessary for the encryption routine to start.
After encryption this display’s a ransom note and ransom screen. The ransom note is written in French.
Further details here
Indicators of Compromise (IOCs)
Hash detected as RANSOM_VIBOROT.THIAHAH (SHA256):
911b25a4d99e65ff920ba0e2ef387653b45789ef4693ef36d95f14c9777a568b
Related malicious URLs:
hxxps://viro(.)mleydier(.)fr
hxxps://viro(.)mleydier(.)fr/noauth/order/
hxxps://viro(.)mleydier(.)fr/noauth/keys/
hxxps://viro(.)mleydier(.)fr/noauth/attachment/
hxxps://viro(.)mleydier(.)fr/noauth/attachment/
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.