Viro Botnet: A New Ransomware

Viro Botnet Ransomware

This year has been amazing till now for the attackers. With the days passing by and tech evolution, the attackers are just bypassing all the cyber security techniques used by major organizations. On the other hand, cybersecurity organizations are completely failing to prevent these attacks.

We lived in a world where we earlier used to read news about world, society and science. But as of now, when we look up to our mobile screens for news or whenever we read a newspaper, all we can see is cyber threats, and multiple infections surfacing online, all ready to steal your personal information such as, credit card details, personal IDs, data and other sensitive information.

Similarly, a new ransomware was discovered by Trend Micro researchers, named as Viro Botnet Ransomware, which behaves as both, botnet and ransomware. This ransomware is currently active in United States and is targeting Windows users.

Let us know some more about this ransomware, like how it works and what is it capable of.

How Viro Botnet Ransomware Works?

How Viro Botnet Ransomware Works

Image source:


1. Once, the file named “Ransom_VIBOROT.THIAHAH” is installed on system, it directly goes for checking registry keys, to see whether the system is encrypted or not.

2. After this, it creates an encryption and decryption key with cryptographic Random Number Generator. As soon as the key is generated, Viro botnet starts gathering information from system and simultaneously keeps sending the data to its host server through POST.

3. Following to which, it begins with encryption process via RSA encryption technique.

4. Once, the system is encrypted, it shows a ransom message, which is written in French.

Must Read : An Insight to CoinVault Ransomware

What Viro Botnet Is Capable Of?

Well, Viro Botnet seems powerful and infectious, let us know some more about it.

1. Viro Botnet comes in a file name “Ransom_VIBOROT.THIAHAH” with .exe extension. This botnet gathers information from registries, and directly attacks machine GUID for it.

2. It collects:

  • Machine GUID
  • Machine name
  • User name
  • Other details

3. For sending and receiving information, it redirects and connects system to website with URL “http://viro.m{BLOCKED}”, which is hosted by attacker’s server. It can also redirect users to other malicious websites as well, which are:

  • hxxps://viro(.)mleydier(.)fr
  • hxxps://viro(.)mleydier(.)fr/noauth/order/
  • hxxps://viro(.)mleydier(.)fr/noauth/keys/
  • hxxps://viro(.)mleydier(.)fr/noauth/attachment/
  • hxxps://viro(.)mleydier(.)fr/noauth/attachment/

4. This ransomware is capable of doing lots of other things as well, which are:

  • Downloads and executes a file
  • Propagate
  • Log Keystrokes
  • Makes the infected system imitate as a Botnet to send spam emails
  • Can encrypt files in fixed, removable and network drives
  • Once, the files are encrypted, it shows a message with the ransom text written in French

5. Viro Botnet can encrypt files with the following extensions:

.asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .odt, .pdf, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .swp, .txt, .xls, .xlsx, .xml

6. Viro Botnet can also be present with alias name, that is “HEUR:Trojan.Win32.Generic”. It is currently active in United States and is only targeting Windows users for now.

What’s the Status?

However, for now, Viro Botnet has been taken care of by Trend Micro, as they have succeeded in taking down the server. Also, they have blocked all the websites connected to the server. But, still we should stay aware and should keep taking necessary and useful preventions to stay safe and secure from attackers.

Also Read : All You Need to Know About the GandCrab Ransomware

If you found this helpful, please let us know. You can also drop your feedback in the comment section below.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *