- Jul 22, 2014
- 2,525
The VirLocker ransomware made a comeback this past week with a new and very virulent version, but the Malwarebytes security team says there's a way for victims to recover files by entering a special code in the payment field.
VirLocker, also known as VirLock or VirRansom, is a ransomware family that was first spotted by Bleeping Computer in 2014 and was first referred to as Operation Global III.
The ransomware never went away after its first versions and kept a low profile, never being at the heart of massive spam campaigns like the ones that pushed TorrentLocker, CryptoLocker, TeslaCrypt, and more recently Cerber and Locky. New versions continued to come out, like this one in 2016, and the one discovered by Malwarebytes this week.
VirLocker can be removed with one code
According to long-time Bleeping Computer forum user and Malwarebytes security researcher Nathan Scott, this recent version can be defeated, even without a special decryptor.
The trick, Scott says, is to enter 64 zeros in the VirLocker ransom note, in the "Transfer ID" section.
0000000000000000000000000000000000000000000000000000000000000000
This code will trick the ransomware into thinking the user has paid the ransom. But the user's work is not yet done, and it's actually only beginning.
VirLocker encrypts and packs all files inside executables
The VirLocker infection process is in large part the same as it was in 2014, and works by taking a victim's files and wrapping them inside an EXE shell. This means that all files are encrypted and then repackaged as an executable.
more in the link above...
VirLocker, also known as VirLock or VirRansom, is a ransomware family that was first spotted by Bleeping Computer in 2014 and was first referred to as Operation Global III.
The ransomware never went away after its first versions and kept a low profile, never being at the heart of massive spam campaigns like the ones that pushed TorrentLocker, CryptoLocker, TeslaCrypt, and more recently Cerber and Locky. New versions continued to come out, like this one in 2016, and the one discovered by Malwarebytes this week.
VirLocker can be removed with one code
According to long-time Bleeping Computer forum user and Malwarebytes security researcher Nathan Scott, this recent version can be defeated, even without a special decryptor.
The trick, Scott says, is to enter 64 zeros in the VirLocker ransom note, in the "Transfer ID" section.
0000000000000000000000000000000000000000000000000000000000000000
This code will trick the ransomware into thinking the user has paid the ransom. But the user's work is not yet done, and it's actually only beginning.
VirLocker encrypts and packs all files inside executables
The VirLocker infection process is in large part the same as it was in 2014, and works by taking a victim's files and wrapping them inside an EXE shell. This means that all files are encrypted and then repackaged as an executable.
more in the link above...
