COVID-19-themed Phishing Campaigns Distributing King Engine Ransomware

Cybercriminals have been taking advantage of the most crucial global health calamity of the century to launch COVID-19-themed phishing campaigns. The ransomware threat landscape for Q3 2020 has increased 50 percent from the first half of the year, with the U.S. healthcare sector the most targeted globally.

King Engine fueling up the campaign

Cofense Intelligence researchers have observed a campaign leveraging COVID-19-themed phishing lures.
Threat actors are reportedly using Hentai OniChan ransomware and its new variant called King Engine to lead campaigns to compromise target devices. These phishing emails have been successful in penetrating environments protected by Secure Email Gateways (SEGs).
  • In the recent campaign, threat actors have been using a fake receipt of coronavirus test results as an attachment to lure victims into opening it. The attachment contains components to drop and run the ransomware executable encrypting victims and holding them hostage, asking a significantly high ransom of 50 Bitcoin.
  • The new strain has only been seen targeting the healthcare sector and is using data exfiltration techniques that pressurize the victim and reduce the efficacy of file backups.

A lookback

  • The campaigns originated in September with the Berserker variant of Hentai OniChan ransomware.
  • The Berserker variant did not exfiltrate data and encrypted files with the .HOR extension. That campaign had targeted the financial and energy sectors, while the latest King Engine has been observed targeting the healthcare sector specifically.

Trends tell a story

The recent spike in coronavirus cases has given threat actors the opportunity to launch ransomware attacks against the healthcare sector.

The inevitable truth

During the pandemic, the demand for healthcare services increased, making it necessarily critical for healthcare organizations to take a proactive approach to prevent and minimize the overall impact of cyberattacks.