Ransomware spreading via the cloud: Virlock another twist on cyber scourge

While the ransomware has been active for two years, Netskope researchers say its new strain leverages users syncing and sharing data to spread infected files through the network.
By Jessica Davis
11:23 AM

2016 has been the year of ransomware in healthcare and beyond, and cybercriminals are continually modifying their techniques to improve the effectiveness of their attacks.

A prime of example of this is the two-year old ransomware Virlock. While the virus has been around for a few years, the most recent strain is able to spread through cloud storage and collaboration applications, according to Netskope researchers.

This means users can inadvertently spread Virlock across an organization's network with a "fan-out" effect, the researchers added. In doing so, Virlock spreads via cloud sync, cloud storage and collaboration applications.

In the past, Virlock was seen as a novel ransomware as it borrowed from a wide range of threat techniques, according to Lysa Myers, security researcher at ESET, an IT security company. However, at the moment, the virus is not that prevalent.

"Malware authors often try to get crafty with adding and subtracting functionality to see if it helps make them more money," Myers said. "Parasitic infectors naturally cause a lot of unintentional corruption of infected files, as malware writers aren't generally known for their excellent quality assurance testing skills."

"So even if (an organization) did pay, they might be left with a larger-than-average number of gummed up files," she added. "As this has been in development for a few years, it would seem the author is rather committed to giving this technique their best shot. Time will tell if this becomes more effective."

Virlock works by first infecting all of a user's files, Netskope researchers said. The new 'infector files' include data synced with the cloud collaboration application, which then spreads to the cloud folder and infects the stored files.

In doing so, other users who click on the files in the shared folder, inadvertently execute the Virlock-infected files and the rest of the files on their machines become encrypted, researchers said.

The virus asks for a Bitcoin payment to unencrypt the machine, but, it appears as an FBI anti-piracy warning. Users must pay the 'first-time offender fee,' which cybercriminals user to scare victims into paying the ransom.

To prevent infection, Myers said organizations should treat Virlock like other ransomware. All software must be updated regularly. Anti-malware should be used and frequently updated, while IT leaders should routinely scan files, removable media and cloud drives. Further, organizations need to enable showing hidden-file extensions, which will filter emails with double-file extensions.

"In general, non-brute force decryptors do not exist, or have not yet been developed, so it's important to use security software to protect against all known strains, and to the largest degree possible, those yet unknown," Myers said.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com


Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.