Hackers are taking advantage of the coronavirus outbreak to create a pandemic of their own in the digital world. Cyber Security researchers have detected a new malware in the wild belonging to the ransomware family named CoronaVirus. This malware was detected in a fake site tricks users into downloading the malicious files by passing them off as legitimate software.
There's a Coronavirus themed ransomware, that actually encrypts.
Encrypted files gets name: %email address%___%original filename & ext%
Note: CoronaVirus.txt
"Donations to the US presidential elections are accepted around the clock."
🤔@demonslay335
cc @VK_Intel pic.twitter.com/ljlMm7PFnB— MalwareHunterTeam (@malwrhunterteam) March 12, 2020
Buy One Get One: The Ransomware and Trojan Bundle
MalwareHunterTeam, the researchers who discovered the threat, warn that the ransomware is bundled with an info-stealing trojan, called KPOT. The KPOT trojan is capable of harvesting credentials from web browsers, instant-messaging apps, email clients, and gaming software. KPOT is also infamous for its ability to steal cryptocurrency wallets.
CoronaVirus ransomware spreads by using a spoofed webpage that imitates WiseCleaner, a legitimate software app used for system maintenance. While the bogus site doesn't offer any downloads, it has managed to distribute a malicious file called WSHSetup.exe that acts as a dropper for both CoronaVirus ransomware and KPOT.
When the malicious file is executed, it will attempt to download a total of seven files from a remote Command and Control server (C&C). Currently only two files (file1.exe and file2.exe) have been spotted.
File1.exe is an installer for KPOT Trojan, and file2.exe installs CoronaVirus Ransomware.
Unlike other cryptolockers, such as the terrifying VegaLocker, CoronaVirus ransomware has a relatively limited list of target files. The threat corrupts only the following file types:
.txt, .pdf, .jpg, .jpe, .rar, .gif, .acc, .asm, .avi, .bak, .bat, .cry, .dbf, .doc, .dxf, .dwg, .epf, .erf, .gbr, .tex, .xls, .xml, .vsd, .csv, .bmp, .tif, .tax, .png, .mdb, .mdf, .sdf, .dgn, .stl, .gho, .ppt, .vpd, .odt, .ods, .zip, .cpp, .pas, .rtf, .lic, .mov, .vbs, .mxl, .cfu, .mht, .old
Unlike most ransomware instead of appending a new extension to the encrypted files, CoronaVirus renames the encrypted files with the threat actors' email address. For example, a file named "guest list.txt" will be renamed to "coronaVi2022@protonmail.ch___1.txt." Alternatively, some file names might repeat the email address multiple times.
CoronaVirus ransomware will also create a ‘CoronaVirus.txt’ file containing a ransom note and drop it in each folder with encrypted data. The note briefly explains the situation and lists the hackers' demands and ends with a short message that says "Donations to the US presidential elections are accepted around the clock."
CoronaVirus Ransomware Ransom Note: “ CORONAVIRUS is there To assist in decrypting your files, you must do the following:
All your file are crypted.
Your computer is temporarily blocked on several levels.
Applying strong military secret encryption algorithm.
1. Pay 0.008 btc to Bitcoin wallet bc1q8r42fm7kwg68dts3w70qah79n5emt5m76rus5u or purchase the receipt Bitcoin;
2. Contact us by e-mail: and tell us this your unique ID: 94C492AD07F35492DA90CAAA25986929
and send the link to Bitcoin transaction generated or Bitcoin check number.
After all this, you get in your email the following:
1. Instructions and software to unlock your computer
2. Program - decryptor of your files.
Donations to the US presidential elections are accepted around the clock.
Desine sperare qui hic intras! [Wait to payment timeout 25 - 40 min]”
The asked ransom of 0.008 BTC (approximately $40) seems rather low compared to the demands of other ransomware that extort their victims for 0.5 BTC and more. However, this is
Additionally, the ransomware will rename the C: drive to "CoronaVirus." This alteration is not necessary for the normal operation of the malware. Researchers presume that it is performed as an act of bragging or trolling.
Another surprise for the victims is a lock-screen message that appears on system reboot. Before the Windows OS is loaded, the text of the ransom note will appear on the screen of the victims.
The message will keep the computer locked for 45 minutes. A slightly different message will then appear on the screen, preventing the user from using their computer for an additional 15 minutes. Once the lock time is over, the ransomware will boot Windows OS and display the CoronaVirus.txt ransom note upon logging.
The unusual design of the CoronaVirus ransomware leaves room for speculation. Researchers argue that the CoronaVirus is designed as a smokescreen that conceals the actual threat – the info-stealing trojan KPOT since it is stealing passwords, cryptocurrency wallets, and cookies in the background.
Experts advise users who have been infected with the ransomware to immediately find a virus-free device and change all of their passwords.
Leave a Reply
Thank you for your response.
Please verify that you are not a robot.