From exchange.xforce.ibmcloud.com
The Viro botnet seeks to infect users with its ransomware and additionally, uses compromised machines to send spam emails containing the ransomware to more potential victims.
Overview
Security researchers at Trend Micro released information about the Viro botnet which has been targeting users in the United States. The botnet was originally discovered on September 17, 2018 and imitates the well known Locky ransomware. Once a system is compromised and added into the botnet, it will be used to send spam emails containing the ransomware in attempts to infect more users. Once the botnet has been successfully downloaded to a machine, it checks for specific registry keys to determine if the compromised system should be encrypted. After the encryption process is complete, a ransom note written in French will be displayed. Odd, considering most of the victims targeted so far have been in the US. It is worth mentioning that there is a keylogging feature contained within the malware, that sends the information collected to a C&C server. For full technical details, refer to Trend Micro’s article.
Read more here