Crooks Are Sending Ransomware Disguised as Coronavirus Test Results

  • Ransomware actors of the “Hentai OniChan” gang are incorporating COVID-19 trickery.
  • The crooks are sending emails claiming to have the recipient’s Coronavirus test results attached.
  • The ransom that is demanded is very large, not matching the target group of this operation.

There’s a tricky ransomware distribution campaign going on right now, using the COVID-19 theme in a way that could convince a large number of people. The threat actors are using a new version of the “Hentai OniChan” ransomware, known as the “King Engine.” This variant can exfiltrate data from the compromised system, something that wasn’t happening in the previous version of the malware.

The phishing email theme is the COVID-19 test results, something that is very hot right now. Coronavirus infections are on the rise worldwide, and there are many people who took a test and are really waiting for results. Thus, the phishing campaign is exploiting a real situation and could work well in a significant portion of recipients.

Source: Cofense

The message itself claims to have your COVID-19 test results attached and provides a password to open the document. There’s also a mention of a nurse who is ready to answer your questions, should there be any, but this is just for added legitimacy. Where the lid of the scam tin opens is the ending, signed by “your current, retired and future doctors and nurses.”

Related: U.S. Hospitals Are Under Constant Attack by the ‘Ryuk’ Ransomware Group

Hentai OniChan is dropped by the attachment and executed on the victim’s system. The amount of money the actors are asking for is an absurd 50 BTC, which is weird considering the target audience. Who is holding valuable enough files on their home computers so they would be willing to risk $676,000 for getting a decryption key?

Our guess is that the Hentai OniChan gang isn’t receiving many payments right now. Also, the Hentai OniChan operators haven’t set up a data leak portal either, but this could be on the way.

Source: Cofense

The particular ransomware belongs to the Quimera family, and the encrypted files cannot be restored by using any of the freely available tools. Thus, this group of actors has something powerful in its hands, but they aren’t using it effectively for the time being. The file extension that is appended by Hentai Onichan is “.hor,” so this is a typical sign that you’re dealing with an infection by the “King Engine.”

If you need to take a COVID-19 test, make sure to define how the results are going to reach you instead of simply accepting the lab’s way. Data protection rules have been stretched or even entirely bypassed in this pandemic situation and in the name of greater safety, so there’s confusion around who has access to COVID-19 test results. When you receive a message claiming to be exactly that, don’t act hastily and don’t download any attachments.



How to Watch Thursday Night Football Without Cable in 2021: Schedule, Time, TV Channel, Live Stream

The 2021 NFL season is kicking off, and the excitement is kicking in for American football fans all over the world. The...

HBO Leaves Prime Video as WarnerMedia Ends Deal With Amazon

Amazon and WarnerMedia end their collaboration that had HBO on Prime Video.Existing users will now have to use the HBO Max app...

How Phishing Actors Impersonated the U.S. Department of Transportation

A recent phishing campaign deployed some common but highly effective tricks to steal Microsoft account credentials.The actors impersonated the U.S. Department of...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari