{"id":6384,"date":"2017-01-25T14:10:58","date_gmt":"2017-01-25T22:10:58","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/25\/news-221\/"},"modified":"2017-01-25T14:10:58","modified_gmt":"2017-01-25T22:10:58","slug":"news-221","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/25\/news-221\/","title":{"rendered":"VirLocker&#8217;s comeback; including recovery instructions"},"content":{"rendered":"<p>VirLocker is in no way new, it has been making a mess of victim\u2019s machines for quite a few years now. VirLocker was the first example of a mainstream polymorphic ransomware and it left no expense of misery to its victims.<\/p>\n<p>VirLocker can of course be propagated like any other malware from its author, but VirLocker has a trick up its sleeve when it comes to infecting other users. Because every file that VirLocker touches becomes VirLocker itself, so many users will accidentally send an infected version of a file to friends and colleagues, backups become infected, and even applications and EXE\u2019s are not safe. Basically, when getting infected by VirLocker, you can no longer trust a single file that is on the affected machine.<\/p>\n<p>This presents a problem when attempting to clean up the machine, because nothing can be trusted and every tool you use is dirty. Even attempting to download a tool to help you can prove a problem, because VirLocker will attempt to infect the new file before it is even opened if VirLocker is running on the machine.<\/p>\n<p>However, if you find yourself infected with this variant DO NOT attempt to remove it yet! Not only does this article discuss the ransomware and how it works, but it will also show you how you can get your files back without paying the ransom.<\/p>\n<h3><strong>Polymorphic functionality of VirLocker<\/strong><\/h3>\n<p>VirLocker\u2019s polymorphic abilities are a headache for everyone involved, researchers, victims, security companies, and more. Every time VirLocker adds itself to a file, the file is practically different in many ways than any other version of itself. VirLocker can add \u201cFake Code\u201d to itself in certain sections to cause the file to be different, it can use different API\u2019s in the main loader of the malware to avoid section fingerprinting, it can use different XOR and ROL seeds to make the encrypted content of the exe entirely different, and more. This level of polymorphic functionalities makes it astonishingly hard to deal with. When even the unpacker stub is different in every file, which could typically be used to fingerprint every variant, it only leaves behavior and heuristics as a possible method of detection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16111\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/build.png\" alt=\"\" width=\"1624\" height=\"1240\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/build.png 1624w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/build-300x229.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/build-600x458.png 600w\" sizes=\"auto, (max-width: 1624px) 100vw, 1624px\" \/><\/p>\n<p>As you can see with the above graph of a sample VirLocker infected file, if the payload stub can be different each creation, and the encrypted code is always seeded different, the embedded original file will of course always be different, depending on the file it attacks, and the resources are just a small icon of the original file it attacked. This\u00a0leaves very little that is suitable for\u00a0detection.<\/p>\n<h3><strong>VirLocker\u2019s execution chain<\/strong><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16112\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/chain.png\" alt=\"\" width=\"2500\" height=\"693\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/chain.png 2500w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/chain-300x83.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/chain-600x166.png 600w\" sizes=\"auto, (max-width: 2500px) 100vw, 2500px\" \/><\/p>\n<p>VirLocker\u2019s execution is anything but simple and really reflects more of a mix of multiple protection types we have seen in single case ransomware scenarios. When the infection is executed, the FUD packer (which can be in some ways polymorphic itself) unpacks the first decryption function which is a mixture of Base64 and XOR and is always differently seeded. This new decryption function then decrypts another new decryption function that is a mixture of XOR\/ROL and is always differently seeded. This decryption function then finally gets to the malicious code intended to run on the machine.<\/p>\n<p>At this point the ransomware checks if it has already infected the machine, and if so, has it been paid? If it has been paid, the ransomware then becomes benign, and simply decrypts and extracts the original file that it had embedded inside of itself, and closes. If the user has been infected, but hasn&#8217;t paid, it simply opens the ransomware screen locker again, if it\u2019s not open.<\/p>\n<p>If it is a new victim, the ransomware opens the file embedded inside itself to make the user think all is well. For example, if the user B received a picture from their friend, user A, that was infected, once user B opens the file, the ransomware will show them the embedded intended picture, but then continue to infect the machine in the background. This is the background to how this ransomware self-replicates itself.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16108\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/bytes.png\" alt=\"\" width=\"1627\" height=\"1209\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/bytes.png 1627w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/bytes-300x223.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/bytes-600x446.png 600w\" sizes=\"auto, (max-width: 1627px) 100vw, 1627px\" \/><\/p>\n<p style=\"text-align: center\"><em>Example of what the original good file embedded in the virus looks like.<\/em><\/p>\n<h3><strong>VirLocker overview<\/strong><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16113\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/overview.png\" alt=\"\" width=\"2500\" height=\"629\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/overview.png 2500w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/overview-300x75.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/overview-600x151.png 600w\" sizes=\"auto, (max-width: 2500px) 100vw, 2500px\" \/><\/p>\n<p>The image above shows the journey and issues that VirLocker presents. Not only is the virus hard to detect, it also has methods to continue existing without the help of the malware author. If anyone ever infected by VirLocker happened to send out any files after they were infected, thinking it was just a screen locker, those files will infect more people. This continuous loop of infection can cause VirLocker to spread like wildfire.<\/p>\n<p>Upon opening VirLocker, it will add itself to nearly every file on the machine, ranging from mere pictures all the way to actual applications. Clicking on these files after the infection will only cause the ransomware to run again, or in the case of a new victim, infect them. Only after \u201cPaying\u201d the ransom, will these files extract their inner \u201cGood Version\u201d on the machine.<\/p>\n<p>With all the madness that this ransomware causes, it has proven to be an amazing infection spreading method. Imagine you get this infection and think it\u2019s just a screen locker like you have heard about. You somehow manage to remove the infection and think you are in the clear. Because extensions are turned off, you do not see that EVERY file on your machine now has a .exe extension added to it behind its original extension. You send your resume to a company you\u2019re applying to and soon enough that whole business is infected.<\/p>\n<h3><strong>VirLocker \u201cDecryption\u201d and clean up<\/strong><\/h3>\n<p><span style=\"color: #ff0000\">DISCLAIMER: If you are infected with VirLocker, you are dealing with a very live and messy piece of malware. It is extremely easy to accidentally cause it to travel to other machines. It\u2019s highly recommended before performing the steps below, that you isolate the machine from any other hardware or network. We cannot be responsible for anything that may happen to your or others machines while following the below instructions because of the nature of the malware.<\/span><\/p>\n<p>If you find yourself infected with VirLocker and want your files back, DON\u2019T REMOVE IT RIGHT AWAY. We need to trick the infection into thinking that you have paid the ransom, so you may get your original files back first. If you have removed the infection, clicking on any of the \u201cencrypted\/infected\u201d files will bring up the screen again that VirLocker uses.<\/p>\n<p><span style=\"color: #ff0000\">IF YOU HAVE ALREADY CLEANED THE MACHINE, CONTACT PROFESSIONAL HELP BEFORE TRYING TO REINFECT IT. DO NOT REINFECT THE MACHINE TO SIMPLY FOLLOW THESE STEPS.<\/span><\/p>\n<p>Because of how messy VirLocker is and seeing how it doesn&#8217;t even have a cleanup method or decryption method internally, our goal here is to help you get back your important files, and completely reformat the machine afterwards. This post will only focus on helping you get back important files. After this is completed, a complete reformat should be done, since nothing on the machine should be trusted after this infection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16110\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/main.png\" alt=\"\" width=\"1869\" height=\"1338\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/main.png 1869w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/main-300x215.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/main-600x430.png 600w\" sizes=\"auto, (max-width: 1869px) 100vw, 1869px\" \/><\/p>\n<p>VirLock has screens that look like the above. They seem to always impersonate some type of legal authority. This one claims to be the Office of Criminal Investigation, where past versions called themselves\u00a0\u201cOperation Global 3\u201d with different legal emblems.<\/p>\n<p>The important part is the \u201cTransfer ID:\u201d text-box. We have found that any 64-length string will be accepted here as a real payment on this latest version of VirLocker. So, on your infected machine type the following into the Textbox:<\/p>\n<p>0000000000000000000000000000000000000000000000000000000000000000<\/p>\n<p>(That is 64 Zero\u2019s.)<\/p>\n<p>After you have done this, hit \u201cPay Fine\u201d. This will cause the Ransom Lock Screen to disappear. VirLocker\u00a0now thinks you have paid the ransom. Because of this, any of your infected files, upon double clicking them to open them, will no longer start the ransomware, but instead extract the original file inside of it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16109\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/files.png\" alt=\"\" width=\"1085\" height=\"451\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/files.png 1085w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/files-300x125.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/files-600x249.png 600w\" sizes=\"auto, (max-width: 1085px) 100vw, 1085px\" \/><\/p>\n<p>As you can see in the image above, clicking on the infected file \u201cguest.bmp.exe\u201d extracted the \u201cguest.bmp\u201d file, which is the original good version of the file. You may now use a non-important USB drive to back up all the files that are important and that you need recovered from this nasty infection.<\/p>\n<p><span style=\"color: #ff0000\">ENSURE TO NEVER PUT ANY .EXE FILES ONTO YOUR BACKUP DRIVE WHEN DOING THIS, THIS CAN CAUSE THE INFECTION TO SPREAD. ONLY BACKUP THE EXTRACTED ORIGINAL FILES THE EXE\u2019S SPIT OUT!<\/span><\/p>\n<p><span style=\"color: #ff0000\">ONLY PERFORM THIS ACTION ON THE MACHINE YOU ENTERED THE \u201c0\u2019S\u201d ON THE LOCKSCREEN. OPENING THE EXE FILES ON ANY OTHER MACHINE WILL INFECT THEM!<\/span><\/p>\n<p>After you have obtained the files that are important to you, the machine should be completely wiped at this point. To avoid this type of infection in the future, consider using an anti-ransomware solution like <a href=\"https:\/\/www.malwarebytes.com\/premium\/?utm_source=blog&amp;utm_medium=social\" target=\"_blank\">Malwarebytes<\/a>, which has anti-ransomware functionalities built into it!<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-16129\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/protection2.png\" alt=\"\" width=\"422\" height=\"264\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/protection2.png 422w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/01\/protection2-300x188.png 300w\" sizes=\"auto, (max-width: 422px) 100vw, 422px\" \/><\/p>\n<p>Hashes used in this analysis:<\/p>\n<p>d438f51fbb56c06c8d910344ceed79504360162c78559254afa7b3fa27eaf763<\/p>\n<p>bfa26552ae53c77a4ff49177e1b27dc318ee4102ca7281aa7dd3afdeccbe58ff<\/p>\n<p>932d7b340cb58cb635b2088421dc73bc1fe079c4b5cee940b2ad8e4dcbfe0f04<\/p>\n<p>a9937f7b85a12f5bc2eda8240c9fa5972275b50bc851aa736402b5f166ef3b03<\/p>\n<p>4d0c238a2cd530b6c9a724af5406dc50cf31988584d34cacf46ac9b2c5f63bcc<\/p>\n<p>ff56e378a221100b160fae0d5cd4f94cb34c14b4e9b932c159c3c95c00526a35<\/p>\n<p>505d86f5181bdd13e473bfa4ab5edbc4d9a6b4ba75f30404ea4966ff7a8ee8da<\/p>\n<p>48abe6cdf1a3f3bc0934abbfaef189938e7ee981f77340cf2ca8b57fdad21a7e<\/p>\n<p>6372a2d90dec71b21fa5991b34289dfd2e8777bca9f51e5991dce03c4e861cd6<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/01\/virlockers-comeback-including-recovery-instructions\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/01\/virlockers-comeback-including-recovery-instructions\/' title='VirLocker's comeback; including recovery instructions'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/11\/photodune-11607095-ransomware-m.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>Virlocker is back, the nightmare is still real. But we have found a way to at least recover your important files even if the affected machine can be considered a loss.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/file-infecting\/\" rel=\"tag\">file infecting<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/file-recovery\/\" rel=\"tag\">file recovery<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/polymorphic\/\" rel=\"tag\">polymorphic<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/ransomware\/\" rel=\"tag\">ransomware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/self-propagating\/\" rel=\"tag\">self propagating<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/virlock\/\" rel=\"tag\">VirLock<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/virlocker\/\" rel=\"tag\">Virlocker<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/01\/virlockers-comeback-including-recovery-instructions\/' title='VirLocker's comeback; including recovery instructions'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11083,11084,3764,11085,3765,11086,10494,11087,11088],"class_list":["post-6384","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-file-infecting","tag-file-recovery","tag-malware","tag-polymorphic","tag-ransomware","tag-self-propagating","tag-threat-analysis","tag-virlock","tag-virlocker"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6384","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6384"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6384\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6384"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}