New ransomware lures victims by pretending to be a Canadian Government COVID-19 tracing app

The fraudulent websites encrypt data from victim’s android devices, ESET revealed

New ransomware called CryCryptor has been targeting Android users in Canada under the premise of being an official COVID-19 tracing app — according to research published by ESET on Wednesday.

The ransomware, distributed via two fraudulent government-backed websites, encrypts personal data from the victims’ devices. ESET’s researchers have analysed the ransomware and developed a decryption tool for victims. The cybersecurity company has also informed the Canadian Centre for Cyber Security upon discovery and identification of the ransomware.

According to ESET, the fraudulent websites claimed to be an initiative by Health Canada to aid in contact tracing once a patient has been declared as COVID-19 positive. Interestingly, the websites appeared a few days after an official announcement by the Canadian Government to back the development of a nation-wide contact tracing app called COVID Alert.

The app is set to be rolled out for testing in Ontario and has not been officially launched. Scammers took advantage of the announcement by Canadian authorities to lure victims into believing the authenticity of the website.

The hackers work to encrypt the files on the victim’s device and instead of locking the device, it leaves a “readme” file with the attacker’s email in every directory with encrypted files, ESET reported. The files are encrypted using AES with a randomly generated 16-digit key. Once CryCryptor encrypts a file, it removes the original file and replaces it with three new files. These displays a notification “Personal files encrypted, see readme_now.txt”.

The ransomware network caught the eye of the ESET researchers when a tweet identifying a ‘malware’ on the supposedly official website was put out by a user. The cyber-security company then analyzed the app and discovered an “ a bug of the type ‘Improper Export of Android Components’ that MITRE labels as CWE-926,” the official announcement said. This bug allowed ESET researchers to develop an app that launches the decrypting functionality built into the ransomware app by its creators.

The CryCryptor ransomware is based on an open-source code available on GitHub. ESET researchers have stated that the developers of open-source ransomware, who named it CryDroid, were aware of it being used for malicious purposes and falsely tried to disguise it as a research project.

“We dismiss the claim that the project has research purposes – no responsible researcher would publicly release a tool that is easy to misuse for malicious purposes,” the announcement stated. “We notified GitHub about the nature of this code,” it added.