“CoronaVirus” Ransomware has been found distributed via a phishing website. The malicious website will distribute a trojan downloader which then leads to downloading additional malicious payloads: the Kpot InfoStealer and Coronavirus Ransomware.

“CoronaVirus” Ransomware will perform the deletion of volume shadow copies and overwrite the Master Boot Record (MBR) of the hard disk. It will also drop ransom notes named “CoronaVirus.txt” to the victim as shown in Figure 2.

Figure 1: Malware distribution

Figure 2: Screenshot of the ransom note

Details

• Upon execution it will delete itself, then create a copy of itself to the %TEMP% directory with a randomly generated filename.

• It will rename system C drive to “CoronaVirus”

• It will modify the following registry key to display ransom note on screen during reboot and startup:

• • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager “BootExecute” autocheck autochk * {%TEMP%\”RansomNote”}
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run {%TEMP%\CoronaVirus.txt}

• It will perform the deletion of volume shadow copies with the following command: 
  • “C:\Windows\system32\VSSADMIN.EXE” Delete Shadows /All /Quiet
  • “C:\Windows\system32\wbadmin.exe” delete backup -keepVersions:0 -quiet
  • “C:\Windows\system32\wbadmin.exe” delete systemstatebackup -keepVersions:0 -quiet

Behavioral Summary

The following is a screenshot of Cloud Enterprise EDR (CB ThreatHunter) process chart by “CoronaVirus” Ransomware.

In addition, VMware Carbon Black Cloud Endpoint Standard (CB Defense) will display the malware’s overall triggered TTPs.

Customer Protection

CoronaVirus Ransomware is blocked and detected by existing policies within VMware Carbon Black products. To learn more about further ransomware behavior, detection and protection capabilities within the Carbon Black suite of products against CoronaVirus ransomware, you may refer to the following blog post:

TAU-TIN – Ransomware Threats

MITRE ATT&CK TIDs

Indicators of Compromise (IOCs)