Researchers at Cyble recently uncovered a new version of the Punisher ransomware that is being spread through a fake COVID-19 tracking app and is targeting Chilean citizens. After infecting the victim’s system, the malware adds the following to the ransom note:
- System ID;
- Unique ID of the victim;
- Bitcoin wallet address for paying the ransom;
- JS code that starts a timer that increases the ransom amount depending on the elapsed time.
The victim's ransom note is found as a shortcut called "unlock your files.lnk" on the desktop and in the "Start" menu. The attackers demand $1,000 in bitcoins to decrypt the files.
After analyzing the methods of work and the amount of the ransom, the researchers came to the conclusion that the malware operators are aimed at ordinary users, and not at large companies. In addition, Punisher-encrypted files are easy to decrypt because the AES-128 algorithm is used for encryption.
Experts advise users to be vigilant and take extreme care with COVID-19-related applications: download them from trusted sources, remember to make regular backups, enable automatic software updates, and use a reliable antivirus.