Cofense Email Security

Coronavirus Test Results Return Data-Exfiltrating Ransomware

Phish Found in Environments Protected by SEGs



Microsoft ATP

Cisco IronPort

By Dylan Duncan

Cofense Intelligence has discovered COVID-19-themed phishing campaign that delivers a new version of the Hentai OniChan ransomwareThe new variant, known as King Engine, exfiltrates data and charges a significantly higher ransom than previously analyzed versions of Hentai OniChan. Previous campaigns delivering the Berserker variant of this ransomware used similar phishing emails to target the financial and energy sectors and did not exfiltrate data. Ransomware campaigns that exfiltrate data are becoming more of a common trend as they add to the pressure of paying ransom and reduce the efficacy of file backups. 

The phishing email shown in Figure 1 was found in environments protected by secure email gateways (SEGs) and currently targets the healthcare industry using response subjects allegedly returning patients COVID-19 test results. The spike in coronavirus cases during October has led to more testing and makes this type of phishing campaign even more threatening. This campaign uses common tactics, techniques, and procedures (TTPs) to reach end users and deliver Hentai OniChan ransomware that belongs to the Quimera ransomware family. Though, of course, the addition of data exfiltration, almost certainly to support data leaks should a targeted victim refuse to pay the ransom, is new. This addition highlights a new trend seen in ransomware that is similar to the Avaddon ransomware campaign that was first seen in June and was delivered by the Trik botnet.  

Illustration of a shield and lock for email security

Figure 1  Phishing Email Delivering Hentai OniChan Ransomware. 

Hentai OniChan Ransomware 

Campaigns observed by Cofense that deliver the Hentai OniChan ransomware date back to September and have been found in environments protected by Proofpoint, Symantec, TrendMicro, Microsoft ATP and Cisco IronPort. These campaigns use a common tactic to reach end users by delivering embedded URLs to download an HTML or PDF file. The downloaded files contain components to drop and run the ransomware executable encrypting victims and holding them hostage, promising to provide a decryption application upon receipt of the ransom payment. Once the target’s files are encrypted, a ransom note is provided and a background image, shown in Figure 2, is set explaining the means by which the encrypted user may pay the ransom and regain access to the encrypted data. The ransom note explains to victims affected how to pay the ransom and includes a price, Bitcoin address, timeline and contact email address.Illustration of data analysis and a lock for threat intelligence

Figure 2  Hentai OniChon Ransom Note 

Berserker v. King Engine 

More ransomware operations have added to the chaos by using data exfiltration. This campaign shows Hentai OniChan has joined the trend.The early stages of the Hentai OniChan ransomware that used the Berserker version did not exfiltrate data, and encrypted files with the .HOR extension. The new strain, King Engine, as of now, has only been seen targeting the healthcare industry and exfiltrates data to an email address found within the ransomware executable. This version encrypts files with a .docm extension and charges a significantly higher ransom of 50 Bitcoin (BTC) (~$650,000 USD), whereas the previous version only charged 10 BTC (~$130,000 USD). Based on our analysis, other ransomware threat actors who have followed the data exfiltration trends often set up data leak websites to publish stolen data if the ransom is not paid. Aof now, data leak websites have not been seen by Hentai OniChan operators 

Indicators of Compromise 

Active Threat Report  Date Published 
80619  2020-10-28 
56658  2020-09-14 
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.  
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Share This Article


We use our own and third-party cookies to enhance your experience. Read more about our cookie policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.