Canadians are being targeted by a new ransomware campaign masquerading as an official Coronavirus contact tracking app.

Discovered by researchers at cybersecurity firm ESET, the ransomware, called CryCryptor, infects Android devices and encrypts unsuspecting victims' files.

Online scammers are distributing the ransomware through two websites claiming to offer official contact tracking services from Health Canada. created in early June, the ransomware uses source code from the programming repository Github .

"CryCryptor surfaced just days after the Canadian government officially announced its intention to support the development of a nationwide voluntary tracking app called COVID Alert," ESET's Lukas Stefanko explained in a blog post.

"The official app will be tested and rolled out in Ontario as early as next month.

After conducting a detailed analysis of the ransomware, ESET researchers posted a decryption app on Github that allows users to decrypt files compromised by CryCryptor.

According to Stefanko, the ransomware encrypts "all of the most common types of files," while a "readme" file containing the scammer's email address appears in "all directories containing encrypted files."

ESET researchers encountered the ransomware on Twitter and, after analyzing it, discovered a flaw that allows scammers to "launch exported services provided by the ransomware."

Once launched, the ransomware gains the necessary permissions to enter files and then encrypt them. However, the phone screen is not locked and the device is still usable.

"The selected files are encrypted using AES with a randomly generated 16-character key; after CryCryptor encrypts the files, three new files are created and the original files are deleted. [The encrypted files are appended with the extension ".enc" and the algorithm generates a unique salt for each encrypted file and stores it with the extension ".enc.salt."

Once all files have been encrypted, the user will receive a notification that "your personal files have been encrypted, see readme_now.txt". This will appear on all files that have been compromised.

To avoid becoming a victim of this ransomware, ESET recommends the following: "To avoid becoming a victim of this ransomware, ESET recommends the following. "In addition to using a high-quality mobile security solution, we recommend that Android users install apps only from trusted sources, such as the Google Play Store.

To use ESET's own decryption tool,https://github.com/eset/cry-decryptor/releasesを参照し、「CryDecryptor.apk」という名前のファイルをAndroid携帯、またはMacやPCにダウンロードする。

If you downloaded it directly to your Android device, locate the downloads folder in the file manager, find the downloaded CryDecryptor.apk, and double-click it.

Your phone will warn you that this is a suspicious file (which is normal) and prompt you to change your file manager permissions to allow the installation of third-party apps.

If you downloaded the file to your Mac or PC, you can connect your Android phone to your computer using a USB cable. In the computer's file manager, you should be able to copy and paste the APK file to a specific location on your Android device.