Researchers have found cybercriminals using the COVID-19 pandemic to launch new ransomware. As per reports, the hacker collective known as “Punisher” is systematically using COVID to lure people from Chile looking for related information.
Punisher ransomware explained
The Punisher ransomware is disguised as a COVID-19 tracking application, a phishing website targeting Chilean users. This site was hosted at covid19[.]digitalhealthconsulting[.]cl as reported by the Cyble Research and Intelligence Labs (CRIL).
The hacker collective uses a ransom note demanding USD 1,000 in Bitcoin, adding that the ransom would increase each day by USD 250, and all the files would be unrecoverable after seven days.
Downloaded from the remote server, the note threatens to destroy all the files should they contact the police.
The encryptor (SHA256: dfc3e3eed6f6bba5e11fb88d06b22d0100188b1776b68b7207e0a4cac09ffa1a) is a .NET binary. It works on Windows operating systems. The method it is compiled is called Timestomping, an anti-forensics technique making it easier to hide during incident response activities.
Researchers are not sure why in the second function GeneratePassword a string of data is sent to the C&C server. This function leads to the generation of random strings that get converted to bytes and sent to the C&C. This string was not observed being used during the encryption process either.
The ransomware then fetches the serial numbers of infected devices using a WMI query. This helps the hacker in generating the encryption key. The next function is CheckConnection wherein the ransomware establishes a connection with Google.com to find if the system has an active internet connection. It then returns a Boolean value depending upon the response from Google.
MakeConnection is the next function that creates a list for storing encrypted information, such as the machine name, username, and system ID. The target’s IP address is fetched using the API https[:]//api.ipify[.]org. The stored information then gets sent to hxxp[:]//20[.]100.168[.]3[:]1974/handshake.php C&C server.
Following this, the Punisher ransomware looks for the UI directory in the C:\Users\Public\Windows\ folder. If found, the ransomware deletes the directory and creates a new one with the same name.
If the UI directory is not found, the ransomware then creates it with the same attributes. The ransom note is downloaded at this stage. The note contains specific information from the target, like the system ID, date of infection, and unique identifier of the target.
CRIL researchers found that the cybercriminals behind this fake COVID site attack are not targeting corporates but are luring individual users. They further noted that encrypted files could be easily decrypted because it uses AES-128 symmetric algorithm for their encryption. The United States National Institute of Standards and Technology founded the advanced encryption standard (AES).
Owing to this, the same key is used for both encrypting and decrypting the data that is held back by the ransomware gang. However, unsuspecting individuals may not have expertise in this, which is why hackers may take advantage of them.
“The victims can also recover the files encrypted by this ransomware by reverting the Operating System to its previous stage as it does not delete shadow copies,” a CRIL researcher told The Cyber Express team. The researcher’s name is withheld on request.
