CoronaLocker Trojan
CoronaLocker is a trojan that is designed to inconvenience users instead of causing damage.
At the time of publication, it is unclear how CoronaLocker is delivered, although there are unconfirmed reports it is distributed disguised as a fake WiFi hacking tool via third-party hosting sites.
Once installed, CoronaLocker will alter registry keys in order to disable common user interfaces including the Windows Start menu and the Run command. It then reboots the affected system, displaying a lock screen to the user and demanding a ransom. It will also use Window’s speech synthesis function to repeat the phrase “corona virus”.
Despite claiming to encrypt files, there is no evidence CoronaLocker alters user files in any way.
Indicators of Compromise
Email Addresses
MD5 File Hashes
- 09387dad1341f534ad51966168c0e4af
SHA1 File Hashes
- 39a58879b0327145f5eb94caa83227564b11abde
SHA256 File Hashes
- 01157c3e056d2040250598bc9b4aac8b4ad8b7f2c595381d320290dd79b8317d
Remediation
CoronaLocker’s lock screen can be bypassed by typing “vb” into the dialogue box. To re-enable registry editing, run the following command as an administrator in Command Prompt:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” /t Reg_dword /v DisableRegistryTools /f /d 0
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.