Corona Ransomware

[Virus/Malware Activity Report: Corona Ransomware]

We are aware of a security breach suspected to be a form of Corona ransomware.
We would like to provide the following information and warning regarding the situation.

Corona ransomware

The ransomware is called corona and appears to be changing all files to filename.extension.corona.

How it works

File version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in Windows properties]

Ransomware behavior characteristics

• Ransomware Behavior Characteristics: The Corona ransomware appears to have been developed in Python. During execution, it installs the necessary libraries in the %LocalAppData%Temp\_MEI19202 path, and then deletes the temporary directory once installation is complete. The encryption target is limited to the users library folder and drives A through N, resulting in a relatively simple encryption scope.

  
  [Figure 3: Copied executable file and startup program registration registry]

  
  [Figure 4: Copied executable file and startup program registration registry]

Infection results

After encryption is complete, a guide file named _README.txt is created in each folder location, and each encrypted file is changed to < file name. extension. coronavirus >.

[Figure 5 Infection Results]

White Defender response

It also supports real-time automatic restoration of files that were encrypted before WhiteDefender ransomwares malicious actions and blocking.

[Figure 6 White Defender Response]

Watch the Corona Blocking Video