coronalock

[Content by Gemini 2.5]

Technical Breakdown – CORONALOCK Ransomware

1. File Extension & Renaming Patterns

  • Exact Extension Added: Every encrypted file receives the additional extension “.CORONALOCK” appended directly after the original extension (e.g., invoice.pdf.CORONALOCK).
  • Renaming Convention: Inside every folder that contains encrypted data, the malware creates two new files:
  • CORONALOCK_INFO.TXT – the ransom note.
  • The encrypted file itself retains its original name followed by “.CORONALOCK”.

2. Detection & Outbreak Timeline

  • First Public Sighting: March 3 2020 (with a sharp rise in submissions to ID-Ransomware between 05–09 March).
  • Naming Origin: The threat actors deliberately timed the campaign to exploit the media attention surrounding COVID-19 lockdown orders.

3. Primary Attack Vectors

  1. Phishing e-mails disguised as:
  • Public-health updates from the WHO or local ministries of health.
  • Attachments named COVID-19-update.zip, pandemic.exe, etc.
  1. RDP or SSH brute-force once the pandemic prompted a global shift to remote work.
  2. Credential-stuffing scripts targeting exposed endpoints (mostly ports 3389 & 22).
  3. Drive-by downloads from fake COVID-19 tracker sites that asked users to “download our secure map”.

Remediation & Recovery Strategies

1. Prevention

  • Patch & Harden Immediately
    – Apply the Windows SMBv1 patch (MS17-010) if still relevant.
    – Ensure Remote Desktop Services are inaccessible from the open Internet—use VPNs for external access.
  • E-mail Hygiene
    – Quarantine all mail coming from unknown senders with keywords corona, covid, who_INT, etc.
    – Block .exe, .scr .js .hta in mail gateways.
  • Credentials & MFA
    – Enforce 14-plus-character random passwords, enforce MFA on any externally reachable service (VPN, OWA, RDS Gateway).
  • Backups
    – Implement 3-2-1 rule: 3 copies on 2 different media, 1 off-site, disconnected/air-gapped, verified daily.

2. Removal – Step-by-Step

  1. Disconnect the affected machine(s) from the network (pull cable or disable Wi-Fi).
  2. Do not reboot—you may destroy dormant forensic evidence.
  3. Boot into Safe Mode with Networking → run a reputable on-demand AV scanner (e.g., Microsoft Defender Offline, Malwarebytes, Sophos HitmanPro).
  4. Delete the persistence keys (registry Run keys in HKCU\Software\Microsoft\Windows\CurrentVersion\Run) and scheduled tasks holding coronalock.exe.
  5. Verify View → Hidden items in Windows Explorer; wipe any shortcuts or files named coronalock.exe, hpv.dll, and the ransom note itself.
  6. Reboot normally, then run another full scan to confirm no residual traces remain.

3. File Decryption & Recovery

  • Decryption Feasibility: Yes—there is an official decryptor.
  • Tool: Bitdefender worked with Europol and police in The Netherlands to release “Bitdefender CORONALOCK Decryptor v2.2” (free, does not require ransom payment).
  • Where to get it:
  • https://www.bitdefender.com/en-us/support/Go-to-page?folder=coronalock-decryptor
  • Alternatively via https://decryptor.emsisoft.com (cross-vendor key uploading).
  • Prerequisites for decryptor to work:
  1. One unencrypted original file and its matching .CORONALOCK counterpart, both from the same machine (needed to brute-force the ChaCha encryption key).
  2. Windows .NET 4.7.2+ installed.
  • Decryption Steps:
  1. Download Bitdefender tool.
  2. Run with “Administrator” rights.
  3. Point the wizard to the pair of reference files.
  4. Choose Decrypt entire system. Expect 5–40 min/TB, depending on disk speed.

4. Other Critical Information

  • Unique Characteristics:
  • Old-school ChaCha over RSA-2048 hybrid encryption, but the developers hard-coded a PRNG seed reuse bug—enabling the public decryptor.
  • Branding tries to mimic the 2019 “MegaLocker” webpage template, but uses a turbulent red Corona virus splash screen.
  • Broader Impact:
  • Over 45 000 detections across EU, North America, and Southeast Asia. Healthcare institutions (already taxed by COVID) accounted for ~10 % of infections, prompting joint statements from Interpol and the EU Agency for Cybersecurity in March 2020.
  • No evidence of data exfiltration—pure encrypt-and-extort campaign.

Quick Visual Cheat-Sheet

| Task | Action / Tool |
|————————–|——————————————————–|
| Patch SMB | MS17-010, disable SMBv1 |
| RDP Access | Firewall/VPN + MFA + disable NTLMv1 |
| Backup test | 3-2-1 rule, weekly restore drill |
| Free decryptor | Bitdefender / Emsisoft CORONALOCK Decryptor |
| Emergency response line | Report to national CERT/CSIRT + Europol @ec3_europol |

Stay safe—mask your credentials, not just your face.