CovidWorldCry Ransomware

The CovidWorldCry Ransomware is a file-locking Trojan that stops files on your PC from opening, including both many formats of media and some system files. The CovidWorldCry Ransomware also can disrupt other programs and tamper with local backup information as part of its extortion-focused payload. Users can keep offsite backups for recovering without paying the ransom, although a professional anti-malware product may delete the CovidWorldCry Ransomware on sight safely.

In One Trojan's World, Windows Files are Its Prey

File-locking Trojans, while potentially diverse to the point of infinity, tend towards sharing traits that make sense for their ransom-based business model. One of these behaviors is the treatment of operating system components as 'hallowed ground' impervious to attacks. This concession isn't a courtesy; it's due to the strictly-practical issue of getting a ransom out of a victim who can't see what's the hostage. The CovidWorldCry Ransomware is bucking tradition by attacking parts of Windows, and, as always, blocking files with encryption.

The CovidWorldCry Ransomware is a file-locking Trojan that operates along the same lines as any well-known Trojan family a la Scarab Ransomware. The CovidWorldCry Ransomware ransom note even uses most of the text from the Aurora Ransomware family. The Trojan uses what it claims is a combination of ChaCha and AES encryption (which malware analysts have yet to confirm) for 'locking' files and stopping their opening. Different builds of the Trojan will use various extensions for marking the filenames.

The CovidWorldCry Ransomware is more risky with its encryption extortion than most competition significantly, due to locking ntuser.pol (a user profile-management file), and bootmgr (the Boot Manager), among other Windows files. The Trojan also wields many of the standard tricks for deactivating security and recovery avenues. These features include deleting the Shadow Volume Copies and modifying their storage size and terminating other programs' processes that would keep it from accessing and encrypting files.

Reclaiming Your Digital World from a Global Disease

The CovidWorldCry Ransomware's intention is gaining ransoms for 'selling' the unlocking tool or decryptor back to any victims, just like the Dharma Ransomware, the STOP Ransomware, and dozens of others. The connection to other Trojans also is more than behavioral; some the CovidWorldCry Ransomware incidents are 'doubling up' on encryption unintentionally by loading alongside similar threats from the STOP Ransomware family. Since threat actors usually wouldn't deploy such redundant attacks, the CovidWorldCry Ransomware is likely spreading through pay-per-install techniques that more than one hacker is using at a time.

Users can protect their files by installing patches that will block most attacks by one of the CovidWorldCry Ransomware's verifiable infection vectors: the RIG Exploit Kit. This EK may host itself on hacked or deliberately-unsafe websites, loading drive-by-downloads inside fake update prompts and other content. Disabling Flash, Java, and JavaScript inside of all Web browsers manually also improves protection from these vulnerability-exploiting attacks.

Concerningly, the CovidWorldCry Ransomware damages a file that's mandatory for booting Windows. It also presents the problem that anything receiving encryption from two separate Trojans is unlikely to become 'unlockable.' Most anti-malware products should prevent infections or delete the CovidWorldCry Ransomware during system scans automatically.

The CovidWorldCry Ransomware has more than a few 'oops' moments for a campaign that seems to want money as much as the other file-locker Trojans. Since none of those mistakes benefit the victim, Windows users should be working at hardening their defenses all the more.