Cybercriminals regularly use major newsworthy events as an opportunity to lure targets into their trap. The COVID-19 pandemic probably constitutes one of the most prolific and advantageous settings for the bad actors to launch their attacks: an anxious population, a digital transformation movement that pushed everyone online, high demand for goods that are no longer in stock, and masses of misinformation sloshing around on social media. All this equates to a most favourable opportunity for cybercriminals that capitalize on people’s fears and defraud them while they are at their most vulnerable.
This presentation will begin by briefly showing some concrete examples of scams leveraging the COVID-19 environment— from malware-laden emails to fake donations websites attempting to extract personal information from unsuspecting visitors. We will then dive into the case of CryCryptor, an Android ransomware, posing as a COVID-19 tracing application. We start by showing how the malware distribution scheme was built to specifically target Canadians and continue with the technical analysis of CryCryptor. Finally, we’ll present how the ransomware functionality was implemented, including details about the vulnerability that allowed the ESET researchers to create a generic decryptor. Said decryptor allowed the victims of this attack to recover any file encrypted with CryCryptor without having to pay a dime to the attackers.