Home Malware Programs Ransomware CoronaVirus Ransomware

CoronaVirus Ransomware

Posted: March 12, 2020

CoronaVirus Ransomware is a file-locking trojan receiving distribution alongside a second threat, KPOT Stealer. Although CoronaVirus Ransomware may lock files and deliver ransom notes to victims, KPOT Stealer trojan is responsible for additional attacks regarding stealing data, such as passwords. Users should change login credentials ASAP after removing CoronaVirus Ransomware and its trojan with proper anti-malware tools.

A Two-Tap Attack from a Global Pandemic

The canniness with which threat actors manipulate victim psychology is coming into the spotlight with a 'new' trojan campaign that carries with it a much older fellow program. In and of itself, CoronaVirus Ransomware has a few quirks that make it different from Ransomware-as-a-Services of a more traditional stripe, such as STOP Ransomware's family, but its operational differences are cosmetic-oriented. However, the real value in its payload comes from being bait for distracting users' eyes from an even worse problem: KPOT Stealer.

The distribution model for the CoronaVirus Ransomware's campaign is using a fake version of a WiseCleaner website (a legitimate software company) with the 'best' domain. The trojan downloader from the site's links installs both CoronaVirus Ransomware and KPOT Stealer, although our malware experts note additional payload possibilities that require more analysis. KPOT Stealer, unlike some spyware in similar scenarios, such as AZORult, doesn't steal information to assist network infiltration. Instead, its attacks take data from Steam, FTP clients, and other programs and accounts for selling on the black market.

Meanwhile, the CoronaVirus Ransomware conducts a series of semi-unusual attacks against the user's Windows PC and files. It encrypts fifty formats of media, such as JPGs and DOCs, and removes their names without touching the extensions. Then, it inserts its e-mail into where the name ordinarily resides.

The encryption strength of CoronaVirus Ransomware's payload is awaiting analysis. There are initial reports of CoronaVirus Ransomware's lacking any decryption possibilities, but our malware researchers have yet to confirm it.

Curing the Plague Before It Spreads to Your Files

CoronaVirus Ransomware is an independent trojan and displays abnormal features for its classification. It changes the C hard drive's name, inserts two warning messages before Windows boots, and contains off-the-beaten-track political references and ransom amounts. Its uncharacteristic behavior raises the probability of the trojan's being nothing more than a distraction for KPOT Stealer's more lucrative but less visible attacks.

Users looking for WiseCleaner software should navigate to the official website, wisecleaner.com, and avoid the wisecleaner[dot]best domain that this trojan campaign is exploiting. Activate anti-malware products also may detect and isolate the trojan downloader, if possible, before the installation of its two-trojan payload. Any disinfection efforts should always include changes to passwords and other security information that the attackers now possess.

Backups are mandatory for guaranteeing data recovery, which decryptors cannot do – regardless of whether or not CoronaVirus Ransomware has one. Windows anti-malware programs may, as always, help with removing CoronaVirus Ransomware and KPOT Stealer with as little trouble as possible.

CoronaVirus Ransomware bears the name of a quickly-infamous disease but is even more insidious than any biological attack. Human-made problems can be far more disingenuous than nature and with just as unpleasant results.

Related Posts

Loading...