Original article can be found here (source): Artificial Intelligence on Medium
Hackers exploiting Coronavirus fear via ‘CovidLock’ Ransomware
Researchers have identified a website that facilitates the installation of a new ransomware
Nefarious actors leave no stone unturned in exploiting their victims, and the current environment of fear and uncertainty caused by the COVID-19 pandemic provides them with just the right opportunity. Cybersecurity researchers at DomainTools have recently discovered a website coronavirusapp.site, which facilitates the installation of a new ransomware called “CovidLock.”
According to the company, researchers observed a minor uptick in domain names leveraging Coronavirus and COVID-19. As the numbers of cases have escalated from the pandemic, these domain registrations have peaked and many of them are scams. DomainTools team has been consistently monitoring these suspicious domains.
As the general population becomes more anxious and go online to find more information about the disease, hackers have banked on this opportunity to dupe them into installing ransomware. The website in question described above prompts visitors to install an Android application that apparently provides them info on infected individuals in their area with the help of heatmap visuals.
To proclaim its authenticity, the app displays a seal of the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC). When in actuality it is armed with the ‘CovidLock’ ransomware — named as such since the background story is associated with the viral disease and its capability.
Once installed, the ransomware launches a screen-lock attack, which forces the users to change their access password used to unlock the phone. Thereafter, a ransom note (above) appears on the screen asking for $100 in bitcoin (BTC) in 48 hours. A non-compliance is threatened via the deletion of your contacts, pictures & videos, as well as your phone’s memory. It also threatens that your social media profiles would be leaked publically.
The mobile operating system Android Nougat has protection against this type of attack, but you need to have a password in place for it to work. No password to unlock the screen means you are still vulnerable to the ransomware attack.
But the good news is that DomainTools researchers have reverse engineered the decryption keys and will be posting them publicly. The team is also monitoring the BTC wallet (associated with the ransomware) and its transactions, whose detailed will be released soon.
Cyber threat analysts at the Check Point software technologies have determined that coronavirus-themed domains are 50% more likely to be a front for malicious actors than other websites. They estimate that 4,000 domain names that relate to the coronavirus have been registered globally since Jan. 2020 — of this 3% are deemed to be “malicious,” while 5% of them are described as “suspicious.”
Full technical details about the ransomware are available here.