CoronaVirus Ransomware


SonicWall Capture Labs Threat Research Team has observed a ransomware taking advantage of the Coronavirus fear. As the world battles and seeks more information about the novel CoronaVirus , attackers are finding news news to take advantage of this.This particular ransomware threatens the user that CoronaVirus is here and  should pay money to get rid of it .

Infection Cycle:
The ransomware does the following:
It encrypts and zips the files and renames it to coronaVi2022@protonmail.ch__<filename>.

It changes the drive name to CoronaVirus

It drops CoronaVirus.txt in each and every folder of the infected system.

Modifies the following registry keys

Adds the following registry keys

The malicious sample shows following ransom message.

It waits for 20 mins before it restarts the victim’s machine and displays another ransom note.

Taking a closer look at the ransomware sample its a 32 bit binary .

Dissembling the code to find it modifies the BootExecute information, adds Email and BTC wallet information.



SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: CoronaVirus.RSM_2
  • GAV : CoronaVirus.RSM

This threat is also detected by SonicWALL Capture ATP.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.