COVID-19 Hard Drive Wiper
I. Targeted Industries
- Higher Education
- K-12 Education
- Financial Services
- Independent Organizations
A COVID-19 themed hard drive wiper is destroying PCs by spreading malware. Samples collected were found to either wipe files or rewrite a computer’s master boot record (MBR). Once these MBRs are rewritten, it will take a specialist to rebuild the MBR to the working order (1). Several of these wipers and rewriters are created with open-source tools released on Youtube and Discord. Some of these wipers are not being distributed maliciously but could be used as such.(2)
III. Background Information
There were four samples of either data wipers or MBR re-writers analyzed over the past month. The first data wiper, written in Chinese, was found in February, leading researchers to believe that it targeted Chinese nationals. The second data wiper was found in Italy on April 2 (4).
Of the two MBR rewriters, the first one found (named CoViper) freezes the screen as it rewrites the MBR (5). The other, which is currently nameless, disguises itself as the CoronaVirus ransomware while it steals your information. Then it rewrites the MBR, locking the device (1). The motive appears to be nothing more than inciting destruction.
If these malware strains infect computer systems, it could lead to the loss of data, time, and money.
Recommended Article for more information on CoViper: https://securitynews.sonicwall.com/xmlpost/coronavirus-trojan-overwriting-the-mbr/
Consistently perform backups on systems locally and off-site. Have multiple backups if one is overwritten.
Before installing any software, look over the reviews. Verify the legitimacy of the installation package and website. It’s recommended to avoid third-party sites for software.
Ensure the anti-virus software is updated and the firewall is on and configured properly. Ensure operating systems are up-to-date with the most recent security updates. The patches and latest versions are should also be implemented and installed.
User Awareness Training
Avoid suspicious emails, links, websites, attachments, etc…. Users should be educated about new types of attacks and schemes to mitigate risk.
Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
Implementing account controls can limit what a user and program can do without proper permission. Users will also be notified when changes or modifications are attempted.
Implement password management processes.
Perform Security Scans
Run scheduled scans on your systems and files.
V. Indicators of Compromise (IOCs)
Indicators of Compromise include:
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar. https://usf.box.com/s/izk0k9pc1l0sjzpfhxkjjeffmhz2ycz7
(2) Abrams, Lawrence. “New Coronavirus-Themed Malware Locks You Out of Windows.” BleepingComputer. BleepingComputer.com, April 2, 2020. https://www.bleepingcomputer.com/news/security/new-coronavirus-themed-malware-locks-you-out-of-windows/
(3)CimPanu, Catalin. “There’s now COVID-19 malware that will wipe your PC and rewrite your MBR.” ZDNet, April 7, 2020. https://www.zdnet.com/article/theres-now-covid-19-malware-that-will-wipe-your-pc-and-rewrite-your-mbr/
(1) “Cyber Security Today – COVID-19 Malware Wipes Hard Drives, a Warning from Governments, and a Microsoft Alert over VPNs.” IT World Canada. April 7, 2020. https://www.itworldcanada.com/article/cyber-security-today-covid-19-malware-wipes-hard-drives-a-warning-from-governments-on-coronavirus-aid-scams-and-a-microsoft-alert-over-vpns/429273
(4)Rubin, Jan. “CoViper locking down computers during lockdown.” Decoded, April 7, 2020. https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/