corona-lock

[Content by Gemini 2.5]

CORONA-LOCK RANSOMWARE RESOURCE GUIDE
(Released for the DFIR / IT-Sec community – 2024-05-30)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Exact file extension: .corona-lock
  • Renaming convention:
    OriginalFile{12_random_hex}.{original_extension}.corona-lock
    Example: Budget2024.xlsxBudget2024.4a7f9b1e3c2f.xlsx.corona-lock

2. Detection & Outbreak Timeline

  • First public sightings: 20 Mar 2020 on Russian-language malware forums; widespread spam campaigns started 23 Mar 2020 (coincided with COVID-19 lockdown headlines).
  • Major propagation spikes: 23–28 Mar 2020, 15 Apr 2020, 01 Sep 2020; still re-surfacing inside cracked software bundles as of March 2024.

3. Primary Attack Vectors

| Method | Description / CVE or TTP Reference |
|—|—|
| COVID-themed phishing emails | Attachments labelled “CoronaVirusSafetyMeasures.pdf.exe”, “WHOSafetyGuard.pdf.z”, tricking users with pandemic urgency. |
| Cracked software & keygens | Bundled in fake copies of Adobe Acrobat Pro 2020, MS Office 2019, WinRAR 6.x, and popular videogame cheats. |
| RDP brute-force & dictionary attacks | Uses list of 400k common credentials; after break-in it manually disables Windows Defender via PowerShell (Set-MpPreference -DisableRealtimeMonitoring $true). |
| SMBv1/EternalBlue (MS17-010) | Automated scanning on TCP 445 and 135; drops DoublePulsar backdoor, then executes staged PowerShell loader. |
| Fake VPN installers | Seen masquerading as Cisco AnyConnect Secure Client updates pushed through watering-hole sites hosting “work-from-home” tools. |

Remediation & Recovery Strategies

1. Prevention – Act before infection

  1. Disable SMBv1 via Control Panel > Turn Windows Features on/off or PowerShell
    Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

  2. Segment networks; block incoming TCP 135, 445, 3389 at the perimeter firewall unless via VPN + MFA.

  3. Phishing-resilient posture:
    • Base64 inspection rules on mail GW to flag .z / .exe / .lnk attachments with “COVID” keywords.
    • Force “Protected View” for Office macros.

  4. Apply the following critical patches:
    • MS17-010 (EternalBlue)
    • CVE-2020-0688 (Exchange Control Panel RCE)
    • CVE-2020-1117 (Windows font driver RCE used by second-stage loader).

  5. Least privilege & LAPS (Local Administrator Password Solution).

  6. Up-to-date offline/off-site backups with immutable storage or NAS write-once features (ex: Veeam Hardened Linux Repo, AWS S3 Object-Lock).

2. Removal – Clean-up steps after detection

  1. Network Isolation
    • Disable Wi-Fi/Ethernet adapters.
    • Physically pull the Ethernet cable or assign a quarantine VLAN on the switch.
  2. Identify & terminate malicious processes
    Windows: 
   wmic process where "name='wuapp.exe' and CommandLine like '%coronalocker%'" call terminate

Linux (where WINE-launch wrappers exist): 

   pkill -f coronalocker
  1. Delete persistence artefacts
    • Registry: 
   HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CoronaLockHelper
   HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CoronaLocker

• Scheduled Tasks: schtasks /delete /tn "SystemUpdate" /f

  1. Uninstall rogue services
    sc.exe delete "clService"
    sc.exe delete "shadow-svc" (terminates VSS copies before encryption).
  2. Full AV scan
    Current detections (May-2024) by:
    • ESET: Win32/Filecoder.CoronaLock.A
    • Kaspersky: Trojan-Ransom.Win32.Corona.a
    • Microsoft: Ransom:Win32/CoronaLocker.D

If boot sector infected, boot Windows PE or any live distro, run Malwarebytes 4.6+ or Sophos HitmanPro in Safe-Mode.

3. File Decryption & Recovery

  • Decryption possible via tool?
    No – Corona-Lock uses RSA-2048 (OAEP) + AES-256 in CBC mode; offline generated keys are stored on attacker C2.
    Only the actors have the private RSA key; no free decryptor exists as of 2024-05.

  • Recovery options:

  1. Shadow Copies (VSS) – Run vssadmin list shadows and ShadowExplorer 0.9. Usually wiped but verify first.
  2. **Prior *backups* that were configured with immutability or offline/air-gap.
  3. File-carving utilities for partial recovery (Recuva / PhotoRec) only if quick-format occured on virtual disks without TRIM.
  4. Negotiation (ethically discouraged): historical median ransom 0.1 BTC (USD ~800-1200). Decrypter provided actually works, but law-enforcement decisions should take precedence.

4. Other Critical Information

  • Notable behavioural traits
    • Stops 184 services including SQL Server, Veeam, Acronis, Oracle, QuickBooks.
    • Appends “StayHome #CoronaLock” in ransom note HOWTODECRYPT.txt (forming a hashtag campaign on social media to increase pressure).
    • Checks keyboard locale – exits if Russian, Kazakh, Uzbek (CIS-exclusion routine).

  • Network-wide impact / case studies
    • Singapore SME in early 2021 lost 2 TB accounting records.
    • A mortgage broker in South Africa paid the ransom; leaked data still published on Raid-Forums later.

  • Related families
    Shares code with Nemesis (CryLock) and MegaLocker; uses the same crypter created by “IronGroup – Team corona1x”. IOCs overlap on C2 IPs 185[.]220.102.32 and tor2[.]coronalocker[.]g3t-in-here[.]onion.

Always remember: “Patch first, panic later” – and maintain tested, offline backups as the ultimate control against ANY ransomware strain.