Digital Epidemic: CoronaVirus vs CoViper

Against the backdrop of the coronavirus pandemic, there is a feeling that a no less large-scale digital epidemic has flared up along with it [1] . The growth rate of the number of phishing sites, spam, fraudulent resources, malvari and the like malicious activity causes serious concern. About the scope of the created lawlessness says the news that "extortionists promise not to attack medical institutions" [2] . Yes, exactly like this: those who defend people's lives and health during a pandemic are also attacked by malicious software, as it was in the Czech Republic, where CoViper ransomware disrupted several hospitals [3] .
There is a desire to understand what ransomware exploiting coronavirus topics are and why they appear so quickly. On the network, malware samples were found - CoViper and CoronaVirus, which attacked many computers, including in public hospitals and medical centers.
Both of these executable files are in Portable Executable format, which means that they are aimed at Windows. They are also compiled for x86. It is noteworthy that they are very similar to each other, only CoViper is written in Delphi, as evidenced by the compilation date of June 19, 1992 and the names of the sections, and CoronaVirus in C. Both are representatives of encryptors.
Ransomware ransomware or ransomware is a program that, when it reaches the victim’s computer, encrypts user files, disrupts the normal process of loading the operating system, and informs the user that he needs to pay the attackers to decrypt.
After starting the program, they search for user files on the computer and encrypt them. They perform a search using standard API functions, examples of which can be easily found on MSDN [4] .


Fig. 1 Search for user files

After some time, they restart the computer and display a similar message about locking the computer.

Fig. 2 Blocking message

To disrupt the boot process of the operating system, encryptors use a simple technique for modifying the boot record (MBR) [5] using the Windows API.

Fig. 3 Modification of boot record.

Many other ransomware SmartRansom, Maze, ONI Ransomware, Bioskits, MBRlock Ransomware, HDDCryptor Ransomware, RedBoot, UselessDisk use this method of computer output. The implementation of MBR rewriting is available to the general public with the advent of source codes for programs such as MBR Locker on the network. In support of this, on GitHub [6] you can find a huge number of repositories with source code or finished projects for Visual Studio.
Compiling this code with GitHub [7], it turns out a program that crashes the user's computer in a few seconds. And it takes about five or ten minutes to assemble it.
It turns out that to collect malicious malware you do not need to have great skills or tools, anyone can do it anywhere. The code walks freely on the network and can easily multiply in such programs. It makes me think. This is a serious problem that requires intervention and certain measures.