- New ransomware dubbed ‘JNEC.a’ propagates by exploiting the WinRAR ACE vulnerability.
- Once the ransomware encrypts files in a computer, it generates a Gmail address that victims need to create through which they will receive the decryption key.
New ransomware dubbed ‘JNEC.a’ propagates by exploiting the WinRAR ACE vulnerability. Researchers noted that this the first ransomware that spreads through the 19-year-old WinRAR ACE exploit.
More details on the ransomware
- JNEC.a ransomware once executed, encrypts files on the infected computer.
- The encrypted files are appended to the .Jnec extension.
- The ransomware drops the ransom note ‘JNEC.README.TXT’ that demands 0.05 bitcoins which is worth $200 for the decryption key.
- Once victims pay the ransom, they need to create a Gmail address as mentioned in the ransom note in order to receive the decryption key.
Worth noting - Once the ransomware encrypts files in a computer, it generates a Gmail address that victims need to create through which they will receive the decryption key.
The big picture
- 360 Threat Intelligence Center spotted the archive ‘vk_4221345.rar’ that delivers the JNEC.a ransomware.
- Attackers trick victims into decompressing the archive and extracting its contents.
- When decompressed, it shows an incomplete image of a girl.
“Warning!!!Possibly the first #ransomware (vk_4221345.rar) spread by #WinRAR exploit (#CVE-2018-20250). The attacker lures victims to decompress the archive through embedding a corrupt and incomplete female picture. It renames files with .Jnec extension,” 360 Threat Intelligence Center tweeted.
Security researcher Michael Gillespie analyzed the ransomware and confirmed that even the malware author of the ransomware cannot decrypt the files.
“PSA: DO NOT PAY. The criminals fucked up the key usage and even they cannot decrypt people's files,” Gillespie tweeted.
The bottom line - Researchers recommend users to upgrade to the latest version of WinRAR in order to avoid such attacks.