Earlier this week, Health Canada announced they had been working with federal and provincial governments on Covid-19 contact-tracing app. The app is expected to be rolled out in July. However, researchers have observed ransomware pretending to be the official Covid-19 contact-tracing app. While the official app has not yet been made available for users until next month, cyberattackers have found a convenient way to capitalize on the government’s announcement with an Android app of their own. The Covid-19 masquerading app, known as Crycryptor, posed as Canada’s official Covid-19 contact-tracing app, hiding its malicious intent.
As per the researchers, the new ransomware has been attacking Android users, via two websites under the guise of Canada’s official Covid-19 contact-tracing app. The two, now obsolete websites, were covind19tracer.ca and tracershield.ca. These fake domains were hosting APKs, that once the user downloads, the Crycryptor automatically installed the ransomware on Android devices.
The ransomware came to light when the researchers caught hold of a tweet by a Twitter handle @ReBensk. It was initially spotted that the APKs were hiding a banking trojan malware, upon further investigation, it was found the malware turned to be new ransomware. Due to this bug, if an Android user downloads the APK from these two domains and installs the app, the malware requests user access to files on external media and begins encrypting the content on the Android device with extensions such as .PNG. After the ransomware app- Crycryptor, encrypts a file, it then creates three new files, following which the original file is deleted. The encrypted file is said to have “.enc” extension. Once all the files are encrypted, the ransomware bug displays a notification on the user’s screen as “Personal files encrypted, see readme_now.txt”.
Also, any app installed on the affected device could launch any service offered by the ransomware bug.
Following this, the researchers have been successful in creating a decryption tool for the current version of the ransomware. The decryption was possible due to the fact that Crycryptor takes advantage of the security weakness- CWE-926. This allows installed apps to launch exported services, meaning, that a tool could be developed that launches the ransomware’s decryption role.
If reports are to be believed, the developer who named the open-source malware Crydroid- hid the ransomware app has a research project. Experts believe the developers were aware of the malicious content.
Ransomware has grown to be one of the biggest cybersecurity issues on the web. The attacks are increasingly targeting data centers, enterprise infrastructure and cloud for lucrative and more effective attacks against organizations. Organizations can prevent falling into the trap of a ransomware attack by ensuring that systems that are not required to be open/publicly facing online aren’t remotely accessible; hence by applying requisite security updates to prevent malware from having an edge over vulnerabilities. Besides, organizations should also keep timely updated offline backups of their data, so if the attack does take place, systems and data can be restored without giving in to the demands of the cyberattacks.
For more news and information on how to protect your organization, visit our website. Follow us on Facebook, & LinkedIn or Contact us, 406-646-2102 and get your questions answered. Feel free to call us 406-646-2102 or mail sales@ExcelliMatrix.com.
