CoronaLocker is a trojan that is designed to inconvenience users instead of causing damage.
At the time of publication, it is unclear how CoronaLocker is delivered, although there are unconfirmed reports it is distributed disguised as a fake WiFi hacking tool via third-party hosting sites.
Once installed, CoronaLocker will alter registry keys in order to disable common user interfaces including the Windows Start menu and the Run command. It then reboots the affected system, displaying a lock screen to the user and demanding a ransom. It will also use Window’s speech synthesis function to repeat the phrase “corona virus”.
Despite claiming to encrypt files, there is no evidence CoronaLocker alters user files in any way.
Indicators of Compromise
MD5 File Hashes
SHA1 File Hashes
SHA256 File Hashes
CoronaLocker’s lock screen can be bypassed by typing “vb” into the dialogue box. To re-enable registry editing, run the following command as an administrator in Command Prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /t Reg_dword /v DisableRegistryTools /f /d 0