Malicious Actors Actively Distributing Novel “CoronaVirus” Ransomware

  • The new Coronavirus outbreak constitutes an inspiration for ransomware actors, who have named a new strain after it.
  • The ransomware comes after the dropping of the KPot stealer, locking all system files and asking for a small payment.
  • The actors are rebooting the infected system and setting a key to display the ransom note upon the system start.

As reported by CyberArk researchers, there’s a new type of ransomware that spreads through a phishing website that resembles a popular Windows maintenance apps portal. The malicious URL is “WiseCleaner[.]best,” and the file that begins the infection procedure is “WSHSetup.exe.” It is actually a downloader that fetches the ransomware as well as the KPot stealer (Khalesi). KPot is a popular tool being sold for $100 on darknet forums. It is under active development and has an extensive info-grabbing ability. KPot is the first to be executed, followed by the CoronaVirus malware, which locks down the system files.

Corona process
Source: CyberArk Blog

KPot steals whatever information it can from the target computer, such as account information, web browser cookies, locally stored passwords, instant messenger histories, emails, cryptocurrency wallets, VPN, RDP, and FTP login credentials. Having pocketed all that data, the actors aren’t very interested in pushing the victims for a noteworthy ransom, and they are asking for only 0.0008 BTC, which is the equivalent of about $43. Besides encrypting files and deleting shadow copy backups, they also rename the drive to “CoronaVirus (C:).” The ransom note is dropped in every folder and the malware also changes the BootExcute key to display the ransom note upon system reboot.

Corona ransom
Source: CyberArk Blog

The rebooting of the target system is secured by the ransomware itself, as it’s built-in its functionality, and it happens as soon as every file is encrypted. The final step before rebooting is to delete the malware itself, to mitigate the risk of retrieval and analysis. The note makes the typical claims about military-grade encryption that is impossible to decrypt on your own, urging the victim to send a payment to a Bitcoin wallet or to contact the hackers via email on a ProtonMail address. We’ve checked one of the Bitcoin wallets that are used in this campaign, and, thankfully, there have been no payments made to it. However, it is almost certain that malicious actors aren’t using only one wallet and one email address.

While the “CoronaVirus” ransomware may steal the spotlight due to the trendy name and the trouble that it can cause, it is the KPot that causes all this trouble. To stay safe from it, don’t download files from obscure websites, don’t download and execute email attachments, don’t follow URLs shared through unsolicited messages, and make sure that you’re using an up to date anti-virus solution from a reputable vendor.


Recent Articles

Joseph Feiman, WhiteHat Security: We Have to Do More to Protect Election Software Systems

WhiteHat Security, Chief Strategy Officer, Joseph Feiman has been in the business for many years now, and he agreed to speak to us about...

5 Best Adult Addons for Kodi in 2020

These are the best Kodi adult addons you'll find in 2020. Best All-Around Porn Kodi Addon - XXX-O-DUS Best for Watching Full-Length Movies -...

5 Best Kodi Repositories in 2020 – Your Gateway to Hundreds of High-Quality Kodi Addons!

Here's our overview of the best Kodi repositories in 2020. Best All-Around Kodi Repository - Official Kodi Repository Best Third-Party Kodi Repository - TVAddons...