Cyber Incident Victim: University of Toronto
Date:
Mar 2020
Location:
Canada
Summary
A Canadian medical research university involved in COVID-19 response efforts was targeted by ransomware attackers using coronavirus-themed phishing emails impersonating the World Health Organization. The malicious campaign delivered weaponized RTF attachments exploiting a known Microsoft vulnerability to deploy EDA2-based ransomware, which encrypted files with a ".locked20" extension and exfiltrated host details to command-and-control servers. This incident was part of broader attacks against healthcare and research entities globally, leveraging pandemic-related lures to compromise critical organizations during the crisis.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between March 24 and March 26, 2020, threat actors conducted a ransomware attack targeting a Canadian university engaged in COVID-19 research and a Canadian government health organization involved in pandemic response. The attackers sent phishing emails from the spoofed address [email protected], impersonating the World Health Organization, with the actual emails originating from IP address 176.223.133.91. These messages contained a malicious Rich Text Format (RTF) attachment named "20200323-sitrep-63-covid.doc," referencing the date March 23, 2020. When opened on vulnerable systems, the attachment exploited CVE-2012-0158, a buffer overflow vulnerability in Microsoft’s ListView/TreeView ActiveX controls within the MSCOMCTL.OCX library. This exploit enabled the delivery of a ransomware payload. Palo Alto Networks' Unit 42 researchers observed the malicious emails between March 24 at 18:25 UTC and March 26 at 11:54 UTC, noting the campaign specifically targeted individuals associated with the university and health organization. The attackers did not update the filename or lure content during the campaign period.
Upon execution, the ransomware binary contacted a command-and-control (C2) server to download an image serving as the infection notification displayed to victims. It collected host details, including username and hostname, and transmitted this data to the C2 to generate a custom encryption key. The C2 returned the key to the infected host, which then initiated an HTTP POST request to "www.tempinfo.96.lt/wras/savekey.php" to transmit the AES-encrypted decryption key alongside host identifiers. Files on the compromised systems’ desktops were encrypted with the ".locked20" extension. Researchers identified the ransomware as EDA2-based, an open-source strain originally developed for educational purposes. The attack formed part of a broader pattern of COVID-19-themed campaigns targeting critical sectors, including defense, government, technology, and medical entities across multiple countries. Palo Alto Networks confirmed the campaign’s focus on organizations directly involved in pandemic response efforts but did not disclose specific containment measures or operational disruptions experienced by the university.