A new ransomware strain dubbed CryCryptor targeting Android users, particularly users in Canada posing as an official COVID-19 tracing app from Health Canada.
The CryCryptor is a new ransomware based on the open-source ransomware CryDroid published on Jun 11, 2020.
The malicious campaign started after the Canadian government announced the official tracing app, according to sources the app is still in the testing phase and to be live possibly next month.
Malicious Ransomware Campaign
Security researchers from ESET observed that malicious COVID-19 tracing app distributed using two third-party websites and not through Google Play.
Once the malicious app launched in the device it seeks permission to access files on the device, once permission provided it encrypts files with certain extensions.
The extensions include txt, jpg, BMP, png, pdf, doc, Docx, ppt, pptx, avi, Xls, vcf, pdf, and db files.
The ransomware encrypts files only and not lock the device, it leaves a “readme” file in every directory with encrypted files that have the attacker’s email address.
The good news here is that we are having a decryption tool available for this ransomware, ESET researchers discovered a bug with the malicious app which allows them to create a decryption tool.
Researchers published a video that shows the process of encryption and decryption.