CoronaLocker Trojan

CoronaLocker's lock screen can be bypassed by typing "vb" into the dialogue box. To re-enable registry editing, run the following command as an administrator in Command Prompt:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /t Reg_dword /v DisableRegistryTools /f /d 0

To prevent and detect a trojan infection, NHS Digital advises that:

• Secure configurations are applied to all devices.
• Security updates are applied at the earliest opportunity.
• Tamper protection settings in security products are enabled where available.
• Obsolete platforms are segregated from the rest of the network.
• IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
• Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
• Administrative accounts are only used for necessary purposes.
• Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
• Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.