CoronaVirus Ransomware

First observed February 2020, CoronaVirus is a ransomware tool. Despite it's name, it appears to have little relation to the COVID-19 pandemic

Threat ID:: CC-3399
Category:
Threat Severity:: Low
Threat Vector:
Published:: 19 March 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed February 2020, CoronaVirus is a ransomware tool. Despite it's name, it appears to have little relation to the COVID-19 pandemic

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

CoronaVirus is delivered through a spoofed web page mirroring the legitimate WiseCleaner optimisation utility site. This page hosts a loader, which will attempt to install both CoronaVirus and the KPOT Stealer trojan from separate command and control servers.

Once installed, CoronaVirus will encrypt all local files matching a hard-coded extension list using an unknown algorithm. It then replaces each affected filename with an email address and in some cases will also prepend the filename with a different email address.

Threat updates

Date	Update
2 Apr 2020	CoronaVirus CoronaVirus now attempts to delete the Master Boot Record on affected systems, effectively destroying them.

Remediation steps

Type	Step
	If a device on your network becomes infected with ransomware it will begin encrypting files the logged-in user has permission to modify, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages. To reduce the likelihood of infection by ransomware, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible. To limit the impact of a ransomware infection, NHS Digital advises that: Critical data is frequently saved in multiple backup locations. At least one backup is kept offline at any time (separated from live systems). Backups and incident recovery plans are tested to ensure that data can be restored when needed. User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary. Infected systems are disconnected from the network and powered down as soon as practicable. Any user account credentials that may have been compromised should be reset on a clean device. Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Type

Step

If a device on your network becomes infected with ransomware it will begin encrypting files the logged-in user has permission to modify, which may also include remote files on network locations. The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

To reduce the likelihood of infection by ransomware, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

To limit the impact of a ransomware infection, NHS Digital advises that:

Critical data is frequently saved in multiple backup locations.
At least one backup is kept offline at any time (separated from live systems).
Backups and incident recovery plans are tested to ensure that data can be restored when needed.
User account permissions for modifying data are regularly reviewed and restricted to the minimum necessary.
Infected systems are disconnected from the network and powered down as soon as practicable.
Any user account credentials that may have been compromised should be reset on a clean device.
Where infected systems cannot be quarantined with confidence, then an affected organisation should disconnect from national networks to limit propagation.

Indicators of compromise

Main indicators

Email Addresses

[email protected]

Filenames

CoronaVirus.txt

SHA256 File Hashes

070cd31f685e0809b19433735d15f8265662b44391b41807de19c8e96400bb87
1c9c800d28964e7672d59e733c8eba0a262fe1d80cdee042f376927ee296c560
3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3
3c62478766e21318fc9896a2135508789e3eb65020dcc463e3665e2e469882cc
539832697774fb2b092df3c545301d1ab576d915137a366b92863645148f6788
5987a6e42c3412086b7c9067dc25f1aaa659b2b123581899e9df92cb7907a3ed
8e90cb8b2c8b0db6e64e181838e7f79539eec087cc75830108b1a84697376154
a08db3b44c713a96fe07e0bfc440ca9cf2e3d152a5d13a70d6102c15004c4240
f632b6e822d69fb54b41f83a357ff65d8bfc67bc3e304e88bf4d9f0c4aedc224
f9452ba1966aee0e4c1713a6293c9551b3ff97d4fbf065696d4691ad339878b8

Last edited: 10 January 2022 5:31 pm