Threat Database Ransomware WANNACASH NCOV Ransomware

WANNACASH NCOV Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 11
First Seen: January 19, 2011
Last Seen: October 18, 2020
OS(es) Affected: Windows

The WANNACASH NCOV Ransomware is a brand-new data-locking Trojan that was spotted by malware researchers. Like many other cybercriminals, the creators of the WANNACASH NCOV Ransomware have opted to exploit the Coronavirus outbreak that is sweeping the world to generate some cash for themselves. We have seen a massive increase in fraudulent websites, online tactics, and various malware since the COVID-19 pandemic started making headlines worldwide. Countless cyber crooks are using this crisis to benefit, and the creators of the WANNACASH NCOV Ransomware are a great example.

Propagation and Encryption

The WANNACASH NCOV Ransomware is likely being spread with the help of bogus emails that contain corrupted attachments. This is a trick utilized by many authors of ransomware threats. Another commonly utilized technique is software 'cracking' tools that are meant to allow the user to install and use a paid application for free. Authors of ransomware also use malvertising operations, torrent trackers, and fake software updates to propagate data-locking Trojans. The WANNACASH NCOV Ransomware is likely able to encrypt all the data present on your computer. This means that this nasty Trojan will lock all your documents, images, audio files, presentations, databases, archives, videos, spreadsheets, etc. Once the WANNACASH NCOV Ransomware locates all the targeted files, it will use an encryption algorithm to lock them and therefore render them unusable. All the encrypted files will have their names changed by this Trojan. The WANNACASH NCOV Ransomware follows a certain pattern when renaming the locked files – 'Файл зашифрован. Пиши. Почта clubnika@elude.in [<random number>].WANNACASH NCOV v310320.' All the compromised data will be renamed following this example. The only difference is in the [<random number>] section of the name, which will be uniquely generated for each affected file.

The Ransom Note

The WANNACASH NCOV Ransomware's ransom note, named 'Как расшифровать файлы.txt,' is written in Russian entirely, so it is likely that most of its victims will be located in the Russian Federation. The attackers offer to unlock two files for free, to prove to the victims that they are able to recover the encrypted data successfully. The attackers provide two email addresses where the users can contact them – ‘clubnika@elude.in' and ‘clubnika@cock.li.' The authors of the WANNACASH NCOV Ransomware demand to be contacted within seven days of the attack taking place, or they threaten to wipe out the decryption key the user needs to recover their files.

Text presented in WANNACASH NCOV ransomware's text file ("Как расшифровать файлы.txt"):

Все значимые файлы на ВАШЕМ компьютере были заархивированы и зашифрованы при использованием AES-256-CBC + RSA 1024bit шифрования.
----------
Я гарантирую, что ВЫ сможете безопасно и легко восстановить все свои файлы.
Чтобы подтвердить мои честные намерения, отправьте мне на почту 2 любых файла, и ВЫ получите их расшифровку.
почта: clubnika@elude.in
резеврная почта: clubnika@cock.li - Если не отвечаю в течении суток, пишите на резервную почту.
не забывайте проверять папку спам !
----------
У ВАС есть ровно 7 дней на связь со мной. 09.04.2020 числа в расшифровке ВАМ будет отказано,а ВАШ ключ дешифровки в автоматическом порядке удален. Я предупредил.
----------
* Не пытайтесь расшифровать ваши данные с помощью сторонних программ, это может привести к повреждению или другим неприятным для ВАС последствиям.
* Крайне не рекомендую обращаться за помощью на форумы антивирусных компаний. Только лишь потеряете время на ожидание отрицательного ответа.
__________
WANNACASH NCOV v310320
1705
66,01 сек.

When translated to English, the ransom note says that the files are encrypted with AES-256-CBC and RSA-1024 encryption algorithms. Victims must contact the team behind the infection within seven days to save their data. The hackers delete the decryption key needed to unlock files after seven days. The note also warns against using third-party decryption tools, suggesting that it could result in data loss and other issues.

One problem with ransomware such as WANNACASH NCOV is that, more often than not, the hackers behind the program are the only ones who can undo the damage it causes. These hackers commonly offer to decrypt one or two files as a sign of good faith that their tools work. Victims should never trust an attacker, though, even if they do decrypt the files as promised. This is no indication that they can be trusted to deliver the decryption tool after being paid. The only truly safe and effective way to restore files without being scammed or making a payment is to restore files from a backup.

Please keep in mind that any infected files will stay infected even if you find and uninstall the ransomware. It is worth doing this to prevent further infection, but just uninstalling the ransomware isn’t enough to solve the problem.

How Did My Computer Get Infected With WANNACASH NCOV?

Hackers use several different attack methods to get to computers. One of the most common ways of spreading ransomware is the use of spam email campaigns. Other popular infection methods are illegal cracking activation tools, malicious downloads, trojan viruses, and malicious software updates.

Spam emails contain a malicious link or attachment and are written in such a way to trick users into accessing those attachments. Once a person opens a malicious attachment, their computer is infected. Infected attachments come in a few different varieties, but the most common ones are Microsoft Office files, PDF files, executable files, archives, and JavaScript files.

Attempting to activate licensed software with a cracking tool illegally can lead to the installation of malicious programs. These tools spread malware by infecting computers instead of activating the product as advertised.

Trojan viruses are another severe issue. These viruses cause chain infections by installing other malware. Trojan viruses, along with ransomware by itself, spreads through peer-to-peer networks, third-party downloaders, and file hosting websites. These websites are another attack method for threat actors.

It’s worth mentioning that the cyber-criminals behind these attacks like to disguise their files as legitimate files. They can trick even savvy users. Downloading and opening a file through the channels mentioned above comes with the risk of computer infection.

How to Prevent the WANNACASH NCOV Infection

You should never open attachments or access websites from unsolicited emails from unknown sources. Cybercriminals send these emails en masse to trick recipients into infecting themselves with malware. You should never open email contents unless you know the sender and are sure the email is coming from them.

Another good step to take is only to download the software through direct links on official websites. Avoid using other channels, such as third-party downloaders and peer-to-peer networks. Cybercriminals use these channels to distribute their malicious programs.

You should only install and update operating systems and programs using official functions and tools from the official developer. Unofficial activation tools (known as crackers) and unofficial updating tools can install malware. There’s also the fact that it is illegal to use cracking tools to download and activate third-party tools.

Last but not least, you want to be sure to scan your computer regularly with a trusted antivirus/anti-spyware tool. These tools are designed to check for and remove threats from your computer. If you are worried that your computer is infected then get rid of the infection as soon as possible and work on restoring your data.

At the end of the day, the best way to protect yourself against viruses like ransomware is to have a data backups in place. That way, you can always restore your data right away in the case of a ransomware infection like WANNACASH NCOV.

Trending

Most Viewed

Loading...