Cyber Crime

Fake COVID-19 test result email drops King Engine ransomware

“King Engine” ransomware is a variant of Hentai OniChan ransomware.

According to Cofense Intelligence researchers, a new version of Hentai OniChan ransomware dubbed “King Engine” is being delivered in a Coronavirus-themed phishing campaign.



The new variant exfiltrates data and demands a massive amount as ransom, which is significantly higher than previously discovered Hentai OniChan campaigns.

According to researchers, cybercriminals used the Berserker variant of this ransomware previously in their campaign, which didn’t exfiltrate data and mainly targeted the energy and finance sectors.

However, this is a tricky campaign that uses the COVID-19 scare to compromise the victim’s device. In this scam,  attackers are sending emails that contain the recipient’s Coronavirus test result in an attachment, which is just a lure to convince the victim to open the attachment.

As shown in the image above, the email also provides a password for opening the document and mentions a nurse who can answer their questions. However, it is a trick to make the email appear legitimate.

In a blog post, the researchers explained that the downloadable PDF or HTML attachment drops and executes the Hentai OniChan ransomware on the recipient’s device. After exfiltrating data, the victim is asked to pay 50 BTC (£524,725 – €584,299- $676,000).

It is an absurdly high figure, which not many would be interested in paying to get decryption keys for unlocking their data.



Other than the absurd price, the email address mentioned on the ransom note is a Gmail one which says a lot about the level of maturity of the scammer being this campaign.

Ransom note

Cofense Intelligence researchers stated in a blog post that the Hentai OniChan ransomware was discovered in September and is found in an environment protected by Symantec, Proofpoint, Cisco IronPort, Microsoft ATP, and TrendMicro.

Since COVID-19 infections are consistently rising around the globe, a large number of people have taken a test and awaiting results. The attackers are exploiting a real threat, and it is working in their favor at the moment.

If you are on the internet, you are vulnerable to such attacks. Make sure you don’t fall these scare tactics and don’t download or open files from anonymous users. In case you have downloaded a file from the internet scan it on VirusTotal before proceeding further.



To Top

Pin It on Pinterest

Share This