CoronaCrypt0r Ransomware

The CoronaCrypt0r Ransomware is a file-locking Trojan that's not a part of a defined family or Ransomware-as-a-Service. The CoronaCrypt0r Ransomware stops files from opening by encrypting them, adds extensions to their names, and displays a potentially screen-blocking ransom note that asks for Bitcoins. Users with backups can disregard the extortion attempt and remove the CoronaCrypt0r Ransomware through any competent anti-malware service, before recovering their media from the backup.

An Echo of an Old Trojan in New Ones

Little of its code remains useful to the modern threat landscape, but the WannaCryptor Ransomware (also referenced as 'WannaCry') is a still-relevant mascot for file-locking Trojans in general. This influence is most substantial in independently-programmed threats, like the CoronaCrypt0r Ransomware. Besides looking not dissimilar to that notorious Trojan, the CoronaCrypt0r Ransomware also takes advantage of some of WannaCryptor Ransomware's infrastructure – for the ever-essential profits of its campaign: Bitcoin ransoms.

The primary attributes of the CoronaCrypt0r Ransomware correlate to those of many similar threats throughout the years. The Trojan requires Windows .NET Framework for running and uses the Registry for persisting on the system as a silent, invisible attacker. The Trojan proceeds with encrypting media files (malware experts confirm JPG pictures, but documents and other formats are likely to have support) and, after locking them, injects 'Lock' extensions into their names. This traditional attack method places the user's data in a hostage scenario for ransoming.

The CoronaCrypt0r Ransomware, then, generates a pop-up with its ransom demands in an HTA format that also may block the Windows UI. It provides a countdown-based deadline for payments and uses a free e-mail negotiation channel while asking for twenty USD in Bitcoins. Although malware researchers see no distinct, code relationship between the CoronaCrypt0r Ransomware and the WannaCryptor Ransomware, its cosmetic similarities include sharing a hardcoded wallet address with the older Trojan. Unfortunately, some transactions throughout the years also correspond to possible ransom payments.

A Vaccine for Disease-Themed Software Problems

No matter how complex the software is, paying threat actors doesn't trigger a decryption feature in a file-locking Trojan automatically. Malware experts also note few elements in the CoronaCrypt0r Ransomware and limited sophistication, making it increasingly likely that the threat actor has little experience or interest in maintaining a 'reputable business.' The recycling of Bitcoin wallet infrastructure is a recurring phenomenon that victims shouldn't take as indications of reliable or safe service, concerning decryption.

The strength of the CoronaCrypt0r Ransomware's encryption algorithms calls for more analysis, but most users shouldn't assume that decryption or free file-unlocking ever can take place. An efficient defense against Trojans of the CoronaCrypt0r Ransomware's category always requires a backup on other devices that aren't available to the threat for deletion or encryption. Most users also can cut their chances of infection exposure drastically by disabling sometimes-threatening features like JavaScript or Flash as they browse the Web, monitor file-downloading behavior and use strong passwords.

Anti-malware products from established companies will detect and stop or uninstall the CoronaCrypt0r Ransomware, preferably, before any data encryption. Although no information about its distribution is available, the usage of a Coronavirus-themed name might indicate a similar scheme, such as a fake disease-tracking app or news update.

Why a threat actor with access to the old WannaCryptor Ransomware resources switches to such a simplistic, new Trojan is a question with several potential answers. Whatever its story is, it doesn't justify rewarding the Trojan with Bitcoins – even if it's only the cost of eating out at a restaurant.