Fake COVID-19 test result email drops King Engine ransomware

“King Engine” ransomware is a variant of Hentai OniChan ransomware which, after infecting a system, asking for a ridiculous 50 BTC as ransom.
Ransom note

“King Engine” ransomware is a variant of Hentai OniChan ransomware.

According to Cofense Intelligence researchers, a new version of Hentai OniChan ransomware dubbed “King Engine” is being delivered in a Coronavirus-themed phishing campaign.

The new variant exfiltrates data and demands a massive amount as ransom, which is significantly higher than previously discovered Hentai OniChan campaigns.

See: Hackers using fake live Coronavirus map to spread malware

According to researchers, cybercriminals used the Berserker variant of this ransomware previously in their campaign, which didn’t exfiltrate data and mainly targeted the energy and finance sectors.

However, this is a tricky campaign that uses the COVID-19 scare to compromise the victim’s device. In this scam,  attackers are sending emails that contain the recipient’s Coronavirus test result in an attachment, which is just a lure to convince the victim to open the attachment.

Fake coronavirus test results phishing emails loaded with ransomware

As shown in the image above, the email also provides a password for opening the document and mentions a nurse who can answer their questions. However, it is a trick to make the email appear legitimate.

In a blog post, the researchers explained that the downloadable PDF or HTML attachment drops and executes the Hentai OniChan ransomware on the recipient’s device. After exfiltrating data, the victim is asked to pay 50 BTC (£524,725 – €584,299- $676,000).

It is an absurdly high figure, which not many would be interested in paying to get decryption keys for unlocking their data.

Other than the absurd price, the email address mentioned on the ransom note is a Gmail one which says a lot about the level of maturity of the scammer being this campaign.

Fake COVID-19 test result emails drop King Engine ransomware
Ransom note

Cofense Intelligence researchers stated in a blog post that the Hentai OniChan ransomware was discovered in September and is found in an environment protected by Symantec, Proofpoint, Cisco IronPort, Microsoft ATP, and TrendMicro.

Since COVID-19 infections are consistently rising around the globe, a large number of people have taken a test and awaiting results. The attackers are exploiting a real threat, and it is working in their favor at the moment.

If you are on the internet, you are vulnerable to such attacks. Make sure you don’t fall these scare tactics and don’t download or open files from anonymous users. In case you have downloaded a file from the internet scan it on VirusTotal before proceeding further.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

1 comment

Comments are closed.

Related Posts