A new strain of ransomware has arisen in Canada, targeting Android users and locking up personal photos and videos.
Called CryCryptor, it has initially been spotted pretending to be the official COVID-19 tracing app provided by Health Canada. It’s propagating via two different bogus websites that pretend to be official, according to ESET researchers – one called tracershield[dot]ca.
Like other ransomware families, it encrypts targeted files. But, instead of simply locking the device, CryCryptor leaves a “readme” file with the attacker’s email in every directory. It’s also based on easily found open-source code on GitHub.
When someone launches the malicious app, it requests access to files on the device. After that, selected files are encrypted using AES with a randomly generated 16-character key.
“After CryCryptor encrypts a file, three new files are created, and the original file is removed,” according to ESET. “The encrypted file has the file extension .enc appended, and the algorithm generates a salt unique for every encrypted file, stored with the extension .enc.salt; and an initialization vector, .enc.iv.”
Interestingly, targeted files include photos and videos.
“It is interesting to see that this attack included file type extensions such as .jpg, .png and .avi along with document types as well,” Erich Kron, security awareness advocate at KnowBe4, said via email. “By encrypting photos and videos on the external storage on the phone as opposed to simple documents, the attackers are making it personal and attempting to improve their odds of payment. People tend to keep a lot of personal photos on their devices, which makes them a prime target.”
Once encryption is complete, researchers found that CryCryptor displays a notification that says: “Personal files encrypted, see readme_now.txt.” That readme_now.txt file is placed in every directory with encrypted files.
ESET researchers discovered the GitHub repository using a simple search “based on the app’s package name and a few strings that looked unique,” they said.
The developers attempted to disguise the project, called CryDroid, as being legitimate and claim to have uploaded the code to the VirusTotal service.
“[They must have known the code would be used for malicious purposes,” according to ESET. “We dismiss the claim that the project has research purposes – no responsible researcher would publicly release a tool that is easy to misuse for malicious purposes.”
The researchers were able to create a decryption tool, thanks to a flaw in the coding of the malicious app.
“After we spotted the tweet that brought this ransomware to our radar (the researcher who discovered it mistakenly labeled the malware as a banking trojan), we analyzed the app,” researchers said in a posting on Wednesday. “We discovered a bug of the type ‘Improper Export of Android Components’ that MITRE labels as CWE-926.”
This type of bug, listed as an “Improper Export of Android Application Components,” occurs when an Android application “exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains,” according to MITRE.
Because of the bug in the app, any other app that is installed on the affected device can launch any exported service provided by the ransomware.
“This allowed us to create the decryption tool – an app that launches the decrypting functionality built into the ransomware app by its creators,” according to ESET.
CryCryptor, like other malware, is looking to take advantage of governments rolling out COVID-19 tracing apps to fight the pandemic. The Canadian government officially announced the creation of a nationwide, voluntary tracing app called COVID Alert, due to be rolled out for testing in the province of Ontario in July. The new ransomware family surfaced just a few days later.
Another new malware strain was recently found using the same tactic. The “[F]Unicorn” ransomware appeared in May, pretending to be “Immuni” – Italy’s official coronavirus-tracking app. The real beta version is rolling out across the country; the fake app houses a malicious executable, purporting to be from the Italian Pharmacist Federation (FOFI).
“The most successful phishing campaigns use a topical, stressful event to set the stage for communication with the victim to increase their effectiveness,” said Rob McLeod, director of Advanced Threat Analytics, eSentire, via emailed comment.
He added, “COVID-19 provides an ideal backdrop for cybercriminals to conduct these operations. Users will likely be familiar with phishing attacks, and CryCrypto is not the first Android ransomware in the wild. What’s different for most users in the mobile device context is the exposure of communication vectors not typically associated with phishing attacks. This includes voice, SMS, messaging apps, and social media channels where attackers can communicate with potential victims to trick them into installing non-legitimate apps.”
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.