corona

[Content by Gemini 2.5]

CORONA Ransomware – Technical & Recovery Compendium

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: CORONA, appended verbatim to the original file name without a preceding dot (e.g., Annual_Report.xlsxCORONA).
  • Renaming Convention:
    [original_name][ext]CORONA
    Folders themselves are not physically renamed; instead, inside every folder a plain-text ransom note (ДЕШИФРАВОР.txt, Russian for “Decryptor”) is dropped.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First prominent public submissions appeared on ID-Ransomware & VirusTotal starting 01-April-2020, aligning with early stages of the COVID-19 pandemic when attackers were capitalizing on coronavirus-themed lures. Campaigns peaked April–June 2020, but new waves continued sporadically through 2021.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Malicious spam – ZIP attachments disguised as WHO/CDC advisories or COVID-19 maps launching a JScript downloader.
  2. SMBv1 / EternalBlue exploitation – Observed after initial foothold to move laterally inside legacy Windows networks.
  3. Weak RDP / RDS endpoints – Brute-force or credential-stuffing attacks followed by manual deployment.
  4. Pirated software – Cracked game or office-suite installers wrapped with the Corona payload.

Remediation & Recovery Strategies:

1. Prevention

  • Block TCP 445/139 and TCP 3389 unless strictly required.
  • Disable SMBv1 via GPO (Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol).
  • Enforce MFA for all RDP, VPN, and admin accounts.
  • Segregate critical hosts in VLANs that cannot route to the internet directly.
  • Mandatory email filtering for .zip/.js/.vbs/.hta attachments from external senders.
  • Deploy Application Control (Windows Defender Application Control, WDAC or third-party) to prevent unsigned binaries from running in %TEMP%, %APPDATA%, and %USERPROFILE%\Downloads.

2. Removal

  1. Take the machine off network.
  2. Boot from an offline recovery environment (WinRE or Linux-based AV live OS).
  3. Delete persistence:
    • Scheduled Task: Corona Helper UpdaterC:\Users\<user>\AppData\Roaming\Updater.exe
    • Registry run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Corona
  4. Delete the main payload:
    Typical location: C:\Users\<user>\AppData\Roaming\AstraZeneca\server.exe (folder name rotates with each build).
  5. Run a full scan with an updated engine (Windows Defender Offline, Kaspersky Rescue Disk, or Bitdefender Bootkit Removal).
  6. Re-image the OS if registry hives or WMI repositories show tampering.

3. File Decryption & Recovery

  • Recovery Feasibility: Not possible today – CORONA uses RSA-2048 to encrypt per-file AES-256 session keys that are then exfiltrated to the operator’s command server. No free decryptor exists; private keys have not been leaked.
  • Actions without paying:
    • Search for unaffected devices/off-line backups first.
    • Inspect VSS/Shadow Copies (vssadmin list shadows). CORONA deletes them, but in some cases chain-based backups (Acronis, Veeam) survive.
    • Check synchronized cloud repositories; OneDrive, Dropbox, and Google Drive often retain 30-day file-history allowing mass-restore.
  • Essential Tools/Patches Reference:
    • MS17-010 (EternalBlue patch) – KB4013389, KB4012598.
    • March-2020 cumulative Windows 10 update – hardens RDP against “BlueKeep-style” vulnerabilities.
    • Sysinternals Autoruns & Process Explorer for manual process discovery and residual autorun cleanup.

4. Other Critical Information

  • Unique Characteristics/Artifacts:
    • Timestamp check: the sample refuses to run if Windows regional settings are set to Russian-speaking countries (RU, BY, UA, KZ, MD) – classic Russian-language actor anti-sandboxing.
    • Network beacon: POSTing to C2s on Telegram CDN (tdomain…upload.telegram.org) with hard-coded bot tokens.
    • Dual ransom-note – one Russian (ДЕШИФРАВОР.txt) and one English (README_DECRYPT.txt) dropped progressively during encryption to ensure victims see at least one of them.
  • Broader Impact: Between April and June 2020, multiple hospitals and local municipalities in Central/Eastern Europe were hit, forcing rescheduling of non-critical surgeries. Interpol’s CYBERCRIME Taskforce flagged CORONA in an April-2020 advisory alongside TrickBot-backed Ryuk. While activity has declined, phishing templates continue to recycle the same COVID-19 themes with refreshed masquerades (e.g., vaccination certificates).

Bottom Line:
Permanent decryption is not available – concentrate on segmented, offline backups, comprehensive MFA, and prompt OS & application patching.