Coronavirus Ransomware and Kpot Infostealer Campaign

Description

FortiGuard Labs is aware of a new ransomware campaign that is being called "Coronavirus" ransomware. This is referred to as such because various elements of the hard drive, files, and lockscreen have the Coronavirus term referenced to it. Discovered by security researchers @malwrhunterteam , the bad actors behind this attack have setup a fake website that contains reference to a security tool called WiseCleaner. Within the main download, contains a downloader that downloads a total of 7 files. Two files were only observed being downloaded by the researchers, the kpot infostealer and the newly discovered Coronavirus ransomware.


What are the specifics of the ransomware campaign?

According to the report the kpot infostealer attempts to steal various username and password credentials for a variety of services, including cryptocurrency wallets. The Coronavirus ransomware will try to encrypt a variety of extensions which will be renamed in the following convention:

coronaVi2022@protonmail.ch___1.(originalfileextension)'.


It will present a lock screen with instructions along with various rambling statements and instructions on how to send $50 USD worth of bitcoin to the email address listed on file.:



CORONAVIRUS is there

All your file are crypted.

Your computer is temporarily blocked on several levels.

Applying strong military secret encryption algorithm.


To assist in decrypting your files, you must do the following:

1. Pay 0.008 btc to Bitcoin wallet bc1q8r42fm7kwg68dts3w70qah79n5emt5m76rus5u

or purchase the receipt Bitcoin;

2. Contact us by e-mail: and tell us this your

unique ID: 94C492AD07F35492DA90CAAA25986929

and send the link to Bitcoin transaction generated or Bitcoin check number.

After all this, you get in your email the following:

1. Instructions and software to unlock your computer

2. Program - decryptor of your files.

Donations to the US presidential elections are accepted around the clock.

Desine sperare qui hic intras! [Wait to payment timeout 25 - 40 min]


Are there reports of active exploitation in the wild?

No. According to the report, this is being installed via user interaction, where the lure is a fake website promoting a computer optimization tool.


What operating systems are affected?

Windows operating systems only.


Any suggested precautions?

FortiGuard Labs suggests that all users exercise caution when installing programs from any non reputable source. It is suggested that if a new software is being promoted through spam email, social media or via pop up advertisements, it is best to exercise caution by doing due diligence on the company, by performing internet searches on the product and the company itself. Another suggestion would be to perform a WHOIS search on the domain in question, where a domain that is relatively new would be a red flag that this is likely a scam of some sort.


What is the status of AV and IPS coverage?

AV coverage for this issue exists as:

W32/Upatre.AR!tr.dldr

W32/Kryptik.HBVI!tr

W32/Zenpak.HBWA!tr.ransom


IPS coverage is not feasible for this issue.


FortiGuard Labs recommends that all AV and IPS definitions are kept up to date on a continual basis, and that organizations maintain a proactive patching routine when vendor updates are available. If it is deemed that patching is not feasible, it is recommended that a risk assessment is conducted to determine additional mitigation safeguards within an environment.