A new ransomware called JNEC.a is used to exploit a recently reported code execution ACE vulnerability in WinRAR. After encrypting your computer, a Gmail address will be generated which victims must create to receive the decryption key once the ransom is paid for.
The ransomware encrypts the computer files once running and adds the. Jnec extension to the original file. The price is 0,05 bitcoins (around $ 200) for the decryption key.
While it is in the ransom note, the address has not yet been registered. This task comes under the victims ' control if after paying their ransom they wish to recover their files.
The malware author also provides clear instructions on how to create a certain Gmail address in order to make sure victims can understand how to recover their data, as these can be found in a JNec. README.TXT ransomware note.
Qihoo 360 Threat Intelligence Center researchers found in the wild the "vk 4221345.rar" archive that supplies JNEC.a with a vulnerable version of WinRAR, which has been released in all of them over the past 19 years.
IOCs
RAR Archive: 551541d5a9e2418b382e331382ce1e34ddbd92f11772a5d39a4aeb36f89b315e Ransomware: d3f74955d9a69678b0fabb4cc0e298fb0909a96ea68865871364578d99cd8025
The ransomware encrypts the computer files once running and adds the. Jnec extension to the original file. The price is 0,05 bitcoins (around $ 200) for the decryption key.
JNEC.a Rasomware |
The malware author also provides clear instructions on how to create a certain Gmail address in order to make sure victims can understand how to recover their data, as these can be found in a JNec. README.TXT ransomware note.
Ransom Note |
Warning!!!Possibly the first #ransomware (vk_4221345.rar) spread by #WinRAR exploit (#CVE-2018-20250). The attacker lures victims to decompress the archive through embedding a corrupt and incomplete female picture. It renames files with .Jnec extension.https://t.co/MHNgHw7zAI pic.twitter.com/Tn5SoXht2A— 360 Threat Intelligence Center (@360TIC) March 18, 2019
FILES DETAILS:
IOCs
RAR Archive: 551541d5a9e2418b382e331382ce1e34ddbd92f11772a5d39a4aeb36f89b315e Ransomware: d3f74955d9a69678b0fabb4cc0e298fb0909a96ea68865871364578d99cd8025
File Path: %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdate.exe
Files Analysis by VirusTotal and App.Any.Run
Files Analysis by VirusTotal and App.Any.Run
1 comment:
0,05 bitcoins (around $ 200) for the decryption key is not that much. Nevertheless, the feeling of being "owned" by a hacker is much worse.
Post a Comment