Skip to main content

Ransomware spoofs COVID-19 contact-tracing app: What to do

Tinted microscope image of a coronavirus displayed on an Android phone.
(Image credit: photosince/Shutterstock)

Canadians are being targeted by a new ransomware campaign that pretends to be an official coronavirus contact-tracing app.

The ransomware, called CryCryptor and discovered by researchers at cybersecurity firm ESET, infects Android devices and encrypts the files of unsuspecting victims.

Online crooks are circulating the ransomware via two websites that claim to offer official contact-tracing services from Health Canada. Created in early June, the ransomware uses source code from programming repository Github. 

"CryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the development of a nation-wide, voluntary tracing app called COVID Alert,"  explained ESET's Lukas Stefanko in a blog post. "The official app is due to be rolled out for testing in the province of Ontario as soon as next month." 

After conducting a detailed analysis of the ransomware, ESET researchers posted a decryption app on Github that allows users to decrypt files breached by CryCryptor.

Encrypting all files

Stefanko said the ransomware encrypts "all the most common types of files", while a "readme" file containing the crook's email address appears in "every directory with encrypted files".

ESET researchers came across the ransomware on Twitter, and after analysing it, they went on to discover a flaw that allows crooks to "launch any exported service provided by the ransomware".

Once launched, the ransomware gains necessary permissions to enter files and subsequently encrypts them. However, the phone's screen will not be locked and the device will still be usable.

"Selected files are encrypted using AES with a randomly generated 16-character key. After CryCryptor encrypts a file, three new files are created, and the original file is removed," said Stefanko.

"The encrypted file has the file extension '.enc' appended,  and the algorithm generates a salt unique for every encrypted file, stored with the extension '.enc.salt'; and an initialization vector, '.enc.iv'."

When all files have been encrypted, users then see a notification that says "Personal files encrypted, see readme_now.txt". This appears in every compromised file. 

How to avoid this Android ransomware

To avoid falling victim to this ransomware, ESET recommends: "On top of using a quality mobile security solution, we advise Android users to install apps only from reputable sources such as the Google Play store."

To use ESET's own decryption tool, browse to https://github.com/eset/cry-decryptor/releases and download the file named "CryDecryptor.apk" to your Android phone or to a Mac or a PC. 

If you downloaded the file straight to an Android device, locate the Downloads folder in a file manager, find the downloaded CryDecryptor.apk and double-click it. 

Your phone should alert you that this is a suspicious file (that's normal) and will prompt you to change the permissions for the file manager to allow installation of third-party apps.

If you downloaded the file to a Mac or PC, you can connect your Android phone to the computer using a USB cable. The computer's file manager should allow you to copy and paste the APK file to a specific location on the Android device, from which you can locate and launch it as indicated above.