⚠️ Overview

CoronaVirus Ransomware is a file-encrypting malware first discovered in March 2020 by security researchers at MalwareHunterTeam and subsequently analyzed by firms such as Fortinet and Trend Micro. The malware belongs to the ransomware category and is attributed to a financially motivated threat actor, possibly based in Russia or Eastern Europe, leveraging the COVID-19 pandemic as a social engineering lure.

🔧 Technical Capabilities

The ransomware propagates primarily through spam email campaigns with malicious attachments (e.g., .docm or .exe files) disguised as coronavirus safety information. Once executed, it connects to a hardcoded command-and-control (C2) server over HTTP to receive encryption keys and exfiltrate system information. The malware uses AES-256 encryption to lock files and appends the extension .corona or .coronavirus to encrypted files. It achieves persistence by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun and attempts to delete Volume Shadow Copies using vssadmin.exe. Evasion techniques include checking for sandbox environments and mutex names such as CoronaVirusMutex to avoid multiple infections on the same host.

📜 History & Notable Incidents

The ransomware first appeared in March 2020 during the early stages of the COVID-19 pandemic, with a notable campaign targeting healthcare organizations in Italy and Spain. No high-profile victims have been publicly named, and no CVEs are directly associated with the malware. Law enforcement actions remain unreported, but security vendor Fortinet released a detailed analysis on March 20, 2020 (see Fortinet Blog: “Coronavirus Ransomware Analysis”). MITRE ATT&CK assigns techniques T1486 (Data Encrypted for Impact) and T1059.001 (Command and Scripting Interpreter: PowerShell) to similar ransomware behavior.

🔍 Detection Indicators

Known file hashes include SHA-256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example from MalwareBazaar). Behavioral signatures include the creation of a decrypt instruction file named # DECRYPT #.txt and attempts to modify the desktop wallpaper to a ransom note. Network IOCs include C2 domains like corona-update[.]com and HTTP User-Agent strings containing Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0 (non-standard variant). Registry keys set include HKCUSoftwareCoronaRansom.

☠️ Risk & Impact

The ransomware encrypts critical user files (documents, images, databases) and demands payment in Bitcoin (typically 0.05–0.1 BTC, approximately $500–$1,000 at time of infection). It does not perform data exfiltration, focusing solely on encryption for financial extortion. Targeted sectors include healthcare and education, particularly organizations with weak email security controls.

🛡️ Mitigation

Recommended defenses include deploying email filtering to block malicious attachments, enabling multi-factor authentication, and maintaining offline backups. Detection rules are available via Sigma (e.g., proc_creation_win_vssadmin_delete_shadows.yml). Patches are not applicable; users should avoid running unsigned executables and apply endpoint detection controls from vendors like CrowdStrike or SentinelOne.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.