Malware creators are taking advantage of the coronavirus pandemic and spreading pandemic-themed malware to demand ransom from users. Since the pandemic has started spreading, security researchers have witnessed a surge in Coronavirus themed MBRLockers.
MBRLockers are a special type of malware that modifies the master boot record (MBR) of the victim’s computer so that it shows a ransom note before Windows boots up.
There are some notorious MBRLockers like Petya and GoldenEye that encrypt partition containing partition information of drives. Thus, it becomes impossible to rebuild the MBR unless the ransom code is entered.
Recently, MalwareHunterTeam discovered a new MBRLocker named “Coronavirus” targeting users with the Covid-19.exe file.
— MalwareHunterTeam (@malwrhunterteam) March 23, 2020
Once installed, the malware extracts users files to a folder in %Temp% and a batch file named coronavirus.bat is executed. Upon its execution, the extracted files are moved to C:\COVID-19 folder. It configures programs to start automatically on login and Windows is restarted.
As soon as the Windows restarts, a message is displayed “coronavirus has infected your PC!” and an image of a virus is displayed.
The, now, replaced custom MBR displays a message saying “Your Computer Has Been Trashed” and Windows fails to boot.
The analysis reveals that the Coronavirus MBRLocker creators have added a bypass that allows you to boot normally. Users need to press Ctrl+alt+esc keys simultaneously.
In addition to this Coronavirus malware, Bleeping Computer has found that several MBRLocker variants have been created in the past week with Coronavirus memes, messages and inside jokes.
We recommend our readers to not install any malicious file as it might lock you out of Windows and demand ransom to decrypt your files.