Against the backdrop of the coronavirus pandemic, there is a feeling that an equally large-scale digital epidemic broke out in parallel with it. . The growth rate of the number of phishing sites, spam, fraudulent resources, malware and similar malicious activity is a cause for serious concern. The scale of the ongoing lawlessness is evidenced by the news that “extortionists promise not to attack medical institutions” . Yes, that’s right: those who protect people’s lives and health during a pandemic are also being attacked by malware, as was the case in the Czech Republic, where the CoViper ransomware ransomware disrupted several hospitals .
There is a desire to understand what ransomware exploiting the coronavirus theme is and why they appear so quickly. Malware samples CoViper and CoronaVirus were found on the network, which attacked many computers, including those in public hospitals and medical centers.
Both of these executables are in the Portable Executable format, indicating that they are aimed at Windows. They are also compiled for x86. It is noteworthy that they are very similar to each other, only CoViper is written in Delphi, as evidenced by the compilation date of June 19, 1992 and the names of the sections, and CoronaVirus in C. Both are representatives of ransomware.
Ransomware or ransomware are programs that, when they get on the victim's computer, encrypt user files, disrupt the normal boot process of the operating system, and inform the user that they need to pay the attackers to decrypt it.
After starting the program, they look for user files on the computer and encrypt them. They perform searches using standard API functions, examples of which can be easily found on MSDN .
Fig.1 Search for user files
After a while, they restart the computer and display a similar message about the computer being locked.
Fig.2 Blocking message
To disrupt the boot process of the operating system, ransomware uses a simple method of modifying the boot record (MBR) using the Windows API.
Fig.3 Modification of the boot record
This method of displaying a computer is used by many other SmartRansom, Maze, ONI Ransomware, Bioskits, MBRlock Ransomware, HDDCryptor Ransomware, RedBoot, UselessDisk ransomware. The implementation of the MBR overwrite is available to the general public with the appearance of the source codes for programs such as MBR Locker on the net. To confirm this on GitHub you can find a huge number of repositories with source code or ready-made projects under Visual Studio.
Compiling this code from GitHub , it turns out a program that disables the user's computer in a few seconds. And it takes about five or ten minutes to assemble it.
It turns out that in order to collect malicious malware, you do not need to have great skills or means, it can be done by anyone and anywhere. The code roams freely on the net and can easily reproduce in such programs. It makes me think. This is a serious problem that requires intervention and action.
Source: habr.com