Let’s get through this tough situation.
Together.

Thank you for registering!

Register to get 30-day free license
with technical support
  • Please enter business email address
  • By clicking 'Register free Log360 license', you agree to processing of personal data according to the Privacy Policy.
    You can unsubscribe from our mails at anytime.

Ransomware attacks are evolving. Besides encrypting data and asking for a ransom, attackers have also started stealing credentials from infected machines. One such example of this new-age ransomware is the CoronaVirus Ransomeware attack, which has started to spread since the outbreak of the COVID-19 pandemic.

Why the CoronaVirus Ransomware is deadly to your network security

The attackers behind this ransomware combine three different threats in a single package:

  • File encryption
  • Stealing online credentials
  • Overwrite the content of the infected system drive's Master Boot Record (MBR)

Furthermore, there are various weapons through which the malware is being propagated, including fake downloads, corrupted advertisements, phishing emails, and pirated software or media.

Quick Tip: Before reading on to learn how the attack happens, secure your network from this attack by deploying Log360, our security information and event management (SIEM) solution. Log360 provides predefined correlation rules that capture the indicators of compromise (IoCs) of the CoronaVirus Ransomware attack, and stops the attack from being executed.

How the CoronaVirus ransomware attack works

Though many threat distributors can be used for this attack, phishing emails are predominantly used to exploit the target. The bogus email redirects the user to a fake WiseCleaner website, and from there, a WSHSetup.EXE file is downloaded. This file acts as a downloader and attempts to download several other files from another site. However, the key downloads are a malware combo, file1.exe and file2.exe.

file1.exe acts as a KPOT Trojan and steals the user credentials stored on the infected system, while file2.exe acts as the file encrypter.

Step 1: Credential stealing

The KPOT Trojan payload, file1.exe, steals cookies and login credentials from web browsers, messaging programs, virtual private networks (VPNs), the File Transfer Protocol (FTP), email and gaming accounts, and other services. This payload also grabs a screenshot of the active desktop, and scans for Bitcoin wallets to steal from. All the stolen credentials are sent to another website run by the hackers.

Many businesses have adopted a remote work model as the pandemic has spread. This sudden adoption to remote work has increased VPN usage drastically; the CoronaVirus Ransomware is exploiting this situation by stealing corporate user credentials from VPNs, without having to break or bypass the traditional network security usually deployed on-premises.

Step 2: Encrypting the files and MBR

The actual file encrypter is hidden in the file2.exe file. When this file is downloaded and executed, it attempts to encrypt all the files in the system that have the extensions mentioned below:

.bak, .bat, .doc, .jpg, .jpe, .txt, .tex, .dbf, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .cpp, .pas, .asm, .rtf, .lic, .avi, .mov, .vbs, .erf, .epf, .mxl, .cfu, .mht, .bak, .old

The encrypted file gets renamed with the attacker's email address, but the extension remains the same. This makes every infected file's name look similar to, for example, coronaVi2022@protonmail.jpg, making it hard to detect. A ransom note is then displayed whenever the user tries to open the infected folder. The attacker demands a ransom of 0.008 Bitcoin (around $50) to a hard-coded Bitcoin address, bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk0xa3j.

Additionally, the CoronaVirus Ransomware also changes the Windows Registry settings on the infected computer to display the ransom note upon reboot.

The lock screen changes after 45 minutes, but it doesn't allow the victim to access the system. It will eventually reboot into Windows and, after a further 15 minutes and when the user logs in, it will display the ransom note again.

How Log360 helps combat the CoronaVirus Ransomware attack

ManageEngine Log360, a comprehensive SIEM solution, can help you proactively mitigate this ransomware attack. The solution's real-time correlation engine comes with predefined rules that help capture the events related to this ransomware attack, like malicious file installations and file modifications. As soon as the initial IoCs are detected, it triggers Log360's automatic workflow to stop further attack executions, preventing the data lock or credential stealing.

How Log360 tackles the CoronaVirus Ransomware attack: