A new ransomware called JNEC.a spreads through an exploit for the recently reported code execution ACE vulnerability in WinRAR. After encrypting a computer, it will generate a Gmail address that victims need to create in order to receive the file decryption key once they pay the ransom.
Once executed, the ransomware encrypts data on the computer and appends the .Jnec extension to the file’s original one. The price for the decryption key is 0.05 bitcoins (about $200).
The interesting part is that the malware author chose an unusual method to deliver the file decryption keys. The ID number unique for each affected computer represents a Gmail address for the delivery of the key.
Although the address is available in the ransom note, it is not registered yet. This task falls in the hands of the victim if they want to recover their files after paying the ransom.
Just to make sure that the victims understand how they can recover their data, the malware author also provides clear instructions about creating specific Gmail address; these are available in a JNEC.README.TXT ransom note that the ransomware drops on an infected computer.
Researchers at Qihoo 360 Threat Intelligence Center spotted in the wild an archive called “vk_4221345.rar” that delivers JNEC.a when its contents are extracted with a vulnerable version of WinRAR, which is all of them released over the past 19 years, save build 5.70 and newer.
Warning!!!Possibly the first #ransomware (vk_4221345.rar) spread by #WinRAR exploit (#CVE-2018-20250). The attacker lures victims to decompress the archive through embedding a corrupt and incomplete female picture. It renames files with .Jnec extension.https://t.co/MHNgHw7zAI pic.twitter.com/Tn5SoXht2A
— 360 Threat Intelligence Center (@360TIC) March 18, 2019
JNEC.a is written in .NET and falling for it starts with extracting the contents of the rigged archive. A corrupt image of a girl is inside which, when decompressed, triggers and error and shows an incomplete picture.
The error and the picture fragment make everything seem like a technical fault, so the user won’t give it another thought. However, the ransomware is already added to the system.
The WinRAR exploit enables the author to drop the malware into the Windows Startup folder, so it deploys on the next login.
To hide its presence, the author named it “GoogleUpdate.exe,” so it is easily mistaken for Google’s update process.
Exploiting the WinRAR vulnerability is not difficult. After Check Point published their analysis for the flaw, proof-of-concept code emerged online. Swiftly after, a script that automated the creation of a malicious archive with arbitrary payloads appeared on GitHub.
Last week, McAfee reported that in the week following the vulnerability disclosure more than 100 unique exploits were identified, and the number kept growing.
At the moment of writing, 29 antivirus engines detect JNEC.a as threat. The ransomware encrypts files in their entirety, which could be the reason we saw it move slowly during our tests.
The bitcoin wallet paying ransom shows 12 transactions, but it does not appear that any of them is from a victim as the most recent incoming payment is from October 2018. At the moment of writing, the balance is 0.05738157 BTC, which converts to $229.
Update 3/18/19:
This ransomware has been analyzed by Michael Gillespie and it was determined that due to a bug even the developer would not be able to decrypt this ransomware.
IOCs
Hashes:
RAR Archive: 551541d5a9e2418b382e331382ce1e34ddbd92f11772a5d39a4aeb36f89b315e
Ransomware: d3f74955d9a69678b0fabb4cc0e298fb0909a96ea68865871364578d99cd8025Files:
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdate.exe
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now