VirRansom, The Latest Ransomware

Naked Security has news of a new piece of ransomware which is unlike more recent ones in that it is not simply a variant of CryptoLocker. Sophos have named the virus VirRansom and it differs to CryptoLocker in that it infects other files instead of just encrypting them in order to hold a user at ransom.

Once a machine is infected, VirRansom looks for new files to infect in order to propagate itself before locking down the machine and demanding a bitcoin payment. Depending on whether the host machine has an Internet connection, VirRansom will either display a generic warning or contact a server in order to download data so it can display a customised warning to the user in order to trick them into paying a fine using bitcoin.

Included in the Naked Security article is an image of the ransom warning which contains the bitcoin address 198tX7NmLg6o8qcTT2Uv9cSBVzN3oEozpv. This address received a payment of 0.003 BTC, possibly from Naked Security in order to track its movements. Those coins were moved to 1N43vMz9qB1xcBFFzCGnENSmBrE3sXifrn. That address returns Google search results for being associated with a trojan that claims pirated software has been detected, likely to be VirRansom. From that address, the coins were then moved to 1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL.

1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL is alleged to be the hot wallet for BTC-E and is also associated with at least one incident of theft and another of fraud. The first, a theft of 100 BTC from a prime dice account in September 2014 and the second, fraud whereby fake cloud miners were sold by in August 2014. This fits with the claims that BTC-E continues to be a no questions asked exchange to deposit bitcoin.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>