Crooks Are Sending Ransomware Disguised as Coronavirus Test Results

• Ransomware actors of the “Hentai OniChan” gang are incorporating COVID-19 trickery.
• The crooks are sending emails claiming to have the recipient’s Coronavirus test results attached.
• The ransom that is demanded is very large, not matching the target group of this operation.

There’s a tricky ransomware distribution campaign going on right now, using the COVID-19 theme in a way that could convince a large number of people. The threat actors are using a new version of the “Hentai OniChan” ransomware, known as the “King Engine.” This variant can exfiltrate data from the compromised system, something that wasn’t happening in the previous version of the malware.

The phishing email theme is the COVID-19 test results, something that is very hot right now. Coronavirus infections are on the rise worldwide, and there are many people who took a test and are really waiting for results. Thus, the phishing campaign is exploiting a real situation and could work well in a significant portion of recipients.

The message itself claims to have your COVID-19 test results attached and provides a password to open the document. There’s also a mention of a nurse who is ready to answer your questions, should there be any, but this is just for added legitimacy. Where the lid of the scam tin opens is the ending, signed by “your current, retired and future doctors and nurses.”

Related: U.S. Hospitals Are Under Constant Attack by the ‘Ryuk’ Ransomware Group

Hentai OniChan is dropped by the attachment and executed on the victim’s system. The amount of money the actors are asking for is an absurd 50 BTC, which is weird considering the target audience. Who is holding valuable enough files on their home computers so they would be willing to risk $676,000 for getting a decryption key?

Our guess is that the Hentai OniChan gang isn’t receiving many payments right now. Also, the Hentai OniChan operators haven’t set up a data leak portal either, but this could be on the way.

The particular ransomware belongs to the Quimera family, and the encrypted files cannot be restored by using any of the freely available tools. Thus, this group of actors has something powerful in its hands, but they aren’t using it effectively for the time being. The file extension that is appended by Hentai Onichan is “.hor,” so this is a typical sign that you’re dealing with an infection by the “King Engine.”

If you need to take a COVID-19 test, make sure to define how the results are going to reach you instead of simply accepting the lab’s way. Data protection rules have been stretched or even entirely bypassed in this pandemic situation and in the name of greater safety, so there’s confusion around who has access to COVID-19 test results. When you receive a message claiming to be exactly that, don’t act hastily and don’t download any attachments.