Unsurprisingly, cyber crooks are incorporating the word “coronavirus” into their malicious software. Since the COVID-19 pandemic began earlier this year, various malware emerged with the word “coronavirus” in it. One such example is the CoronaVirus ransomware. As a ransomware, it’s pretty straightforward, it gets into the computer, encrypts files, and demands victims pay a ransom to get the decryptor. However, along with the CoronaVirus ransomware comes a KPOT trojan. KPOT is a notorious trojan that focuses on stealing users’ sensitive data, such as login credentials.

CoronaVirus Ransomware comes together with data-stealing trojan KPOT

The CoronaVirus ransomware spreads via a fake system utility page

This ransomware and trojan are distributed via a page for a fake Windows system optimization program WiseCleaner. The site distributes a malicious file called WSHSetup.exe, which is essentially a downloader for both the CoronaVirus ransomware and the data stealing trojan KPOT. If users execute the file, it downloads file1.exe and file2.exe.

It’s unclear how exactly users would end up on the page distributing the malicious file. It’s possible users could encounter links to it on various forums, or be redirected when browsing questionable sites.

Upon successful infiltration, the trojan will steal files, while the ransomware will encrypt files

After the WSHSetup.exe file is executed, it will download two files, file1.exe and file2.exe. The first one is the KPOT trojan, while the second one is the CoronaVirus ransomware.

When the ransomware is executed, it will start encrypting files. You may not initially notice this happening but will certainly realize that something is wrong when you cannot open any of your personal files because they’ve been encrypted. The names of affected files will be changed to coronaVi2022@protonmail.ch, which is a contact email address that users would need to use if they decide to pay the ransom.

Below is a list of file extensions that are targeted:

.bak, .bat, .doc, .jpg, .jpe, .txt, .tex, .dbf, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .cpp, .pas, .asm, .rtf, .lic, .avi, .mov, .vbs, .erf, .epf, .mxl, .cfu, .mht, .bak, .old

When the ransomware is done encrypting files, it will drop a CoronaVirus.txt ransom note. The note demands that users pay 0.008 Bitcoins (currently $154) in order to get the decryptor. Supposedly once the payment is made and and you send an email to the displayed email addresses, you will receive a decryptor. Unfortunately, you can almost be certain that a decryptor will not be sent to you. Whether cyber crooks send the decryptor is questionable at the best of times, with the CoronaVirus ransomware it’s almost certain that it will not be sent.

Here’s the ransom note:

All your file are crypted.
Your computer is temporarily blocked on several levels.
Applying strong military secret encryption algorithm.

To assist in decrypting your files, you must do the following:
1. Pay 0.008 btc to Bitcoin wallet bc1q6ryyex33jxgr946u3jyre66uey07e2xy3v2cah
or purchase the receipt Bitcoin;
2. Contact us by e-mail: coronaVi2022@protonmail.ch and tell us this your
unique ID: – 56GH8709EE123KJK903IUMN018DGF71E
and send the link to Bitcoin transaction generated or Bitcoin check number.
After all this, you get in your email the following:
1. Instructions and software to unlock your computer
2. Program – decryptor of your files.
Donations to the US presidential elections are accepted around the clock.
Desine sperare qui hic intras! [Wait to payment timeout 25 – 40 min]”

While you are dealing with the ransomware, the KPOT trojan would try to steal personal information stored on the infected computer. That includes browser information, such as passwords, cookies, credit card numbers, banking account information, etc. It’s more than likely that the trojan is the main part of the attack, the ransomware is likely a distraction.

What should you do if your computer gets infected with CoronaVirus ransomware and KPOT trojan

If your files are suddenly renamed to coronaVi2022@protonmail.ch and your system disk drive is renamed to CoronaVirus (C:), your computer is infected with both the CoronaVirus ransomware and the KPOT trojan. It’s very unlikely that paying the ransom will actually result in a decryptor sent to you. What you should be more worried about is the trojan stealing your data. You need to immediately scan your computer with anti-virus software to remove CoronaVirus ransomware and the KPOT trojan. Once your computer is malware-free, change all your passwords at once, including social media accounts, online bank, and email. Furthermore, keep an eye on your credit card records for any unusual transactions if you had your details saved on any of your browsers.

Leave a Reply