Cofense Intelligence researchers found a new version of the Hentai OniChan ransomware called “King Engine” and is being delivered in a Coronavirus-themed phishing campaign. The new variant exfiltrates data and demands a massive amount for ransom, which is significantly higher than previously discovered Hentai OniChan campaigns.[1] This is odd.
According to researchers, cybercriminals used the Berserker variant of this ransomware previously in their campaign, which did not exfiltrate data and mainly targeted the energy and finance sectors. However, this is a crafty campaign that uses the COVID-19 pandemic public concerns to compromise a victim’s device.[2] In this cyber scheme, criminal hackers send emails that contain the recipient’s alleged Coronavirus test result in an attachment, which is a lure to convince the victim to open the attachment.
As shown in an included image, the email also provides a password for opening the document and mentions a nurse who can answer their questions. This however is a trick to make the email appear legitimate.
In a blog post, the researchers explained that the downloadable PDF or HTML attachment drops and executes the Hentai OniChan ransomware on the recipient’s device. After exfiltrating data, the victim is asked to pay 50 BTC (£524,725 – €584,299- $676,000). This amount is an unrealistic figure, which many victims would ignore or many would be not interested in paying to get decryption keys for unlocking their data. Other than the high-priced ransom, the email address mentioned on the ransom note is a Gmail account, which could indicate the level of expertise and maturity of the scammer using this campaign.[3]
Cofense Intelligence researchers stated the Hentai OniChan ransomware was discovered in September of this year and is found in an environment protected by Symantec, Proofpoint, Cisco IronPort, Microsoft ATP, and TrendMicro.
Since COVID-19 infections are consistently rising around the globe, a large number of people have taken a test and are currently awaiting their results. The attackers are exploiting a real threat, and it is working in their favor – at least right now.
Most of us are on the Internet often, thus we are all vulnerable to such attacks. Please take a moment an scrutinize all messages and emails with a Covid title. Never, ever download attachments you feel are suspicious. If you received Covid test results in this manner, first call your doctor or health care provider to verify authenticity. In the event you do downloaded a file from the Internet; scan it on VirusTotal before proceeding further.
Is that all you can do to protect yourself? Actually, no. Having good common sense and using the above-named protections are great, but not necessarily full and solid cyber protection. Having tools and services looking into the deep/dark web is essential to a well-rounded cyber protection plan. The installation, updating and monitoring of firewalls, cyber security and proper employee training are keys to blocking attacks, but utilizing the RedXray and CTAC collection and analysis tools by Red Sky Alliance, will ensure a proactive approach to cyber security. Please feel free to contact our analyst team for research assistance and Cyber Threat Analysis on your organization.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
https://attendee.gotowebinar.com/register/8782169210544615949
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://www.hackread.com/fake-covid-19-test-result-scam-king-engine-ransomware/
[2] https://www.hackread.com/fake-govt-covid-19-contact-tracking-app-android-ransomware/
[3] https://cofense.com/coronavirus-test-results-return-data-exfiltrating-ransomware/
Comments