Security News

CoronaVirus Ransomware

By

SonicWall Capture Labs Threat Research Team has observed a ransomware taking advantage of the Coronavirus fear. As the world battles and seeks more information about the novel CoronaVirus , attackers are finding news news to take advantage of this.This particular ransomware threatens the user that CoronaVirus is here and  should pay money to get rid of it .

Infection Cycle:
The ransomware does the following:
It encrypts and zips the files and renames it to coronaVi2022@protonmail.ch__<filename>.

It changes the drive name to CoronaVirus


It drops CoronaVirus.txt in each and every folder of the infected system.

Modifies the following registry keys

Adds the following registry keys

The malicious sample shows following ransom message.

It waits for 20 mins before it restarts the victim’s machine and displays another ransom note.

Taking a closer look at the ransomware sample its a 32 bit binary .

Dissembling the code to find it modifies the BootExecute information, adds Email and BTC wallet information.

IOC

3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: CoronaVirus.RSM_2
  • GAV : CoronaVirus.RSM

This threat is also detected by SonicWALL Capture ATP.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Wannacry copycat rampant on Android ecosystem
GitLab Community and Enterprise Edition Vulnerability
Laravel Ignition Remote Code Execution Vulnerability
Conficker.E appears (April 9, 2009)
Microsoft Security Bulletin Coverage (Feb 10, 2015)
Waledac SMS Spy Trojan (April 16, 2009)
Feature rich Android banker masquerades as DHL parcel tracking app and uses Telegram API as a means of communication
Microsoft Security Bulletin Coverage for July 2018