Malicious Actors Actively Distributing Novel “CoronaVirus” Ransomware

By Bill Toulas / March 17, 2020

As reported by CyberArk researchers, there’s a new type of ransomware that spreads through a phishing website that resembles a popular Windows maintenance apps portal. The malicious URL is "WiseCleaner[.]best," and the file that begins the infection procedure is "WSHSetup.exe." It is actually a downloader that fetches the ransomware as well as the KPot stealer (Khalesi). KPot is a popular tool being sold for $100 on darknet forums. It is under active development and has an extensive info-grabbing ability. KPot is the first to be executed, followed by the CoronaVirus malware, which locks down the system files.

Corona process

Source: CyberArk Blog

KPot steals whatever information it can from the target computer, such as account information, web browser cookies, locally stored passwords, instant messenger histories, emails, cryptocurrency wallets, VPN, RDP, and FTP login credentials. Having pocketed all that data, the actors aren’t very interested in pushing the victims for a noteworthy ransom, and they are asking for only 0.0008 BTC, which is the equivalent of about $43. Besides encrypting files and deleting shadow copy backups, they also rename the drive to "CoronaVirus (C:)." The ransom note is dropped in every folder and the malware also changes the BootExcute key to display the ransom note upon system reboot.

Corona ransom

Source: CyberArk Blog

The rebooting of the target system is secured by the ransomware itself, as it's built-in its functionality, and it happens as soon as every file is encrypted. The final step before rebooting is to delete the malware itself, to mitigate the risk of retrieval and analysis. The note makes the typical claims about military-grade encryption that is impossible to decrypt on your own, urging the victim to send a payment to a Bitcoin wallet or to contact the hackers via email on a ProtonMail address. We’ve checked one of the Bitcoin wallets that are used in this campaign, and, thankfully, there have been no payments made to it. However, it is almost certain that malicious actors aren’t using only one wallet and one email address.

While the "CoronaVirus" ransomware may steal the spotlight due to the trendy name and the trouble that it can cause, it is the KPot that causes all this trouble. To stay safe from it, don’t download files from obscure websites, don’t download and execute email attachments, don’t follow URLs shared through unsolicited messages, and make sure that you’re using an up to date anti-virus solution from a reputable vendor.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: