Earlier this week, Health Canada announced they had been working with federal and provincial governments on Covid-19 contact-tracing app. The app is expected to be rolled out in July. However, researchers have observed ransomware pretending to be the official Covid-19 contact-tracing app. https://blog.excellimatrix.com/post/a-new-ransomware-hiding-behind-covid-19-contact-tracing-app-crycryptor

1. A New Ransomware Hiding Behind Covid-
19 Contact-Tracing App: Crycryptor
Earlier this week, Health Canada announced they had been working with federal and
provincial governments on Covid-19 contact-tracing app. The app is expected to be rolled out
in July. However, researchers have observed ransomware pretending to be the official Covid-
19 contact-tracing app. While the official app has not yet been made available for users until
next month, cyberattackers have found a convenient way to capitalize on the government’s
announcement with an Android app of their own. The Covid-19 masquerading app, known as
Crycryptor, posed as Canada’s official Covid-19 contact-tracing app, hiding its malicious
intent.
As per the researchers, the new ransomware has been attacking Android users, via two
websites under the guise of Canada’s official Covid-19 contact-tracing app. The two, now
obsolete websites, were covind19tracer.ca and tracershield.ca. These fake domains were
hosting APKs, that once the user downloads, the Crycryptor automatically installed the
ransomware on Android devices.
The ransomware came to light when the researchers caught hold of a tweet by a Twitter
handle @ReBensk. It was initially spotted that the APKs were hiding a banking trojan
malware, upon further investigation, it was found the malware turned to be new ransomware.
Due to this bug, if an Android user downloads the APK from these two domains and installs
the app, the malware requests user access to files on external media and begins encrypting the
content on the Android device with extensions such as .PNG. After the ransomware app-

2. Crycryptor, encrypts a file, it then creates three new files, following which the original file is
deleted. The encrypted file is said to have “.enc” extension. Once all the files are encrypted,
the ransomware bug displays a notification on the user’s screen as “Personal files encrypted,
see readme_now.txt”.
Also, any app installed on the affected device could launch any service offered by the
ransomware bug.
Following this, the researchers have been successful in creating a decryption tool for the
current version of the ransomware. The decryption was possible due to the fact that
Crycryptor takes advantage of the security weakness- CWE-926. This allows installed apps to
launch exported services, meaning, that a tool could be developed that launches the
ransomware’s decryption role.
If reports are to be believed, the developer who named the open-source malware Crydroid-
hid the ransomware app has a research project. Experts believe the developers were aware of
the malicious content.
Ransomware has grown to be one of the biggest cybersecurity issues on the web. The attacks
are increasingly targeting data centers, enterprise infrastructure and cloud for lucrative and
more effective attacks against organizations. Organizations can prevent falling into the trap of
a ransomware attack by ensuring that systems that are not required to be open/publicly facing
online aren’t remotely accessible; hence by applying requisite security updates to prevent
malware from having an edge over vulnerabilities. Besides, organizations should also keep
timely updated offline backups of their data, so if the attack does take place, systems and data
can be restored without giving in to the demands of the cyberattacks.
For more news and information on how to protect your organization, visit our website.
Follow us on Facebook, & LinkedIn or Contact us, 406-646-2102 and get your questions
answered. Feel free to call us 406-646-2102 or mail sales@ExcelliMatrix.com.