Home Features The Underbelly of COVID-19: Malware and Ransomware Ramp Up

The Underbelly of COVID-19: Malware and Ransomware Ramp Up

covid-19 malware ransomware, netwalker ransomware

Cybercriminals are known to leverage global phenomena for personal gain, be it the elections or the Olympic Games. And COVID-19 is no different. Scammers are using the pandemic to capitalize on a public scare that is already dire.

By Pooja Tikekar, Feature Writer at CISO MAG

Hackers are using social engineering tools to formulate phishing emails in the name of the World Health Organization (WHO) and other regulatory bodies to target vulnerable victims. These phishing emails contain documents with embedded links that result in malware and ransomware attacks.

Here are some of the COVID-19-themed cyberthreats:

1. CovidLock

The security team at DomainTools discovered a domain (coronavirusapp[.]site), which claims to have a real-time Coronavirus Tracker. It poses as a download site for an Android app that maps the spread of the virus across the globe. However, the app has a hidden ransomware application named “CovidLock” that threatens to delete contacts, pictures and videos on the victims’ device if a ransom of $100 in Bitcoin is not paid within 48 hours.

Image source: DomainTools

2. Dharma (CrySIS)

Dharma belongs to the family of CrySIS malware and was first discovered in 2016. The malware is distributed in malicious email attachments to deliver the payload. The payload is attached as an executable file by name “1covid.exe,” which begins to encrypt files after it is downloaded. The encrypted files have an extension called “.ncov” (supposedly Novel Coronavirus). It also drops a ransom note prompting users to write an email to “[email protected]” to restore their files.

dharma ransom note
Image source: Quick Heal

3. Emotet

The Emotet malware spam (malspam) emails contain a warning note and call to action for downloading a malicious Word doc attachment, which is said to contain precautionary health measures and latest updates related to Coronavirus. On opening the attachment and enabling macros in Office 365, an obfuscated VBA macro script begins to run in the background, which further installs a Powershell script and downloads the Emotet malware. The Emotet script also downloads a few other malicious payloads to extract additional data from the targeted system.

4. Maze

Maze ransomware was discovered in 2019, however, amid the Coronavirus crisis, it is used to target health care organizations. It threatens to publish patient records online, thereby putting the health care organizations at risk of the immediate violation of the General Data Protection Regulation (GDPR). According to DataBreaches.net, the operators of Maze ransomware attacked the London-based clinical testing firm Hammersmith Medicines Research, as it has volunteered its services to the U.K.’s National Health Service (NHS) and local medical practices to help test medical frontline staff for COVID-19.

maze ransom note
Image source: Wikimedia Commons

5. REvil

Also known as Sodinokibi, the REvil ransomware operators are targeting managed service providers (MSPs) and local governments amid the pandemic. The operators scan the internet for vulnerable machines to deploy the malware payload through a Virtual Private Network (VPN). The operators targeted and infected California-based biotechnology company 10x Genomics to steal sensitive information, as the firm is part of an international alliance sequencing cells from patients who have recovered from the Coronavirus.

6. NetWalker

A variant of Mailto, the NetWalker ransomware targets home and corporate computer networks to encrypt the files it finds. It targets victims by sending phishing emails attached to execute the payload of the ransomware. Further, the file name “CORONAVIRUS_COVID-19.vbs” tricks users into executing it. Once the “vbscript” is executed, the ransomware is dropped in “C:\Users\<UserName>\AppData\Local\Temp\qeSw.exe.” The shadow copies are erased from the system, making safe file recovery difficult.

netwalker ransom note
Image source: McAfee

7. Ginp

Kaspersky researchers have discovered the Ginp Banking Trojan that takes advantage of Android users to steal credit card credentials of potential victims. Once the Ginp is downloaded on the victims’ phone, the attacker sends a special command to the Trojan to open a web page titled “Coronavirus Finder.” The Coronavirus Finder web page displays the number of people infected with the virus near the victim’s location. It then asks them to pay 0.75 Euros to see the location of the virus-infected persons. If the victims agree to pay, the Trojan redirects them to a payment page, where the payment details need to be entered. Once the details are entered, the victims are neither charged, nor do they receive any information about the location of the infected persons. Instead, the credit card details of the victims are accessed.


These are dark times and scammers are taking full advantage of the pandemic to lure ordinary people into clicking on links related to COVID-19. It is essential to be cautious because one downloaded attachment or one click on the wrong link could lead to a disaster.

About the Author

Pooja Tikekar is a Feature Writer, and part of the editorial team at CISO MAG. She writes news and feature stories on cybersecurity trends.

More from the author.