CoronaVirus Ransomware

March 19, 2020

SonicWall Capture Labs Threat Research Team has observed a ransomware taking advantage of the Coronavirus fear. As the world battles and seeks more information about the novel CoronaVirus , attackers are finding news news to take advantage of this.This particular ransomware threatens the user that CoronaVirus is here and  should pay money to get rid of it .

Infection Cycle:
The ransomware does the following:
It encrypts and zips the files and renames it to coronaVi2022@protonmail.ch__<filename>.

It changes the drive name to CoronaVirus

It drops CoronaVirus.txt in each and every folder of the infected system.

Modifies the following registry keys

Adds the following registry keys

The malicious sample shows following ransom message.

It waits for 20 mins before it restarts the victim's machine and displays another ransom note.

Taking a closer look at the ransomware sample its a 32 bit binary .

Dissembling the code to find it modifies the BootExecute information, adds Email and BTC wallet information.



SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: CoronaVirus.RSM_2
  • GAV : CoronaVirus.RSM

This threat is also detected by SonicWALL Capture ATP.