Ransomware attacks are evolving. Besides encrypting data and asking for a ransom, attackers have also started stealing credentials from infected machines. One such example of this new-age ransomware is the CoronaVirus Ransomeware attack, which has started to spread since the outbreak of the COVID-19 pandemic.
The attackers behind this ransomware combine three different threats in a single package:
Furthermore, there are various weapons through which the malware is being propagated, including fake downloads, corrupted advertisements, phishing emails, and pirated software or media.
Though many threat distributors can be used for this attack, phishing emails are predominantly used to exploit the target. The bogus email redirects the user to a fake WiseCleaner website, and from there, a WSHSetup.EXE file is downloaded. This file acts as a downloader and attempts to download several other files from another site. However, the key downloads are a malware combo, file1.exe and file2.exe.
file1.exe acts as a KPOT Trojan and steals the user credentials stored on the infected system, while file2.exe acts as the file encrypter.
The KPOT Trojan payload, file1.exe, steals cookies and login credentials from web browsers, messaging programs, virtual private networks (VPNs), the File Transfer Protocol (FTP), email and gaming accounts, and other services. This payload also grabs a screenshot of the active desktop, and scans for Bitcoin wallets to steal from. All the stolen credentials are sent to another website run by the hackers.
Many businesses have adopted a remote work model as the pandemic has spread. This sudden adoption to remote work has increased VPN usage drastically; the CoronaVirus Ransomware is exploiting this situation by stealing corporate user credentials from VPNs, without having to break or bypass the traditional network security usually deployed on-premises.
The actual file encrypter is hidden in the file2.exe file. When this file is downloaded and executed, it attempts to encrypt all the files in the system that have the extensions mentioned below:
The encrypted file gets renamed with the attacker's email address, but the extension remains the same. This makes every infected file's name look similar to, for example, coronaVi2022@protonmail.jpg, making it hard to detect. A ransom note is then displayed whenever the user tries to open the infected folder. The attacker demands a ransom of 0.008 Bitcoin (around $50) to a hard-coded Bitcoin address, bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk0xa3j.
Additionally, the CoronaVirus Ransomware also changes the Windows Registry settings on the infected computer to display the ransom note upon reboot.
The lock screen changes after 45 minutes, but it doesn't allow the victim to access the system. It will eventually reboot into Windows and, after a further 15 minutes and when the user logs in, it will display the ransom note again.
ManageEngine Log360, a comprehensive SIEM solution, can help you proactively mitigate this ransomware attack. The solution's real-time correlation engine comes with predefined rules that help capture the events related to this ransomware attack, like malicious file installations and file modifications. As soon as the initial IoCs are detected, it triggers Log360's automatic workflow to stop further attack executions, preventing the data lock or credential stealing.