At the beginning of this month, a new ransomware campaign was launched targeting hundreds of Israeli websites. The attack used a popular website accessibility plugin to distribute the malware, modifying some data so that instead of the plugin, a malware payload is downloaded on the victim’s machine as soon as it hits the website. This is a clever design, also quite popular, were cybercriminals hack into websites and push malicious data to website visitors. The attack failed partially because of a bug in the payload distributing code, which verified if the operating system is Windows (according to Kaspersky and Bleeping Computer). Normally, without the bug, if the code would have found Windows installed on the victim’s machine, it would download the ransomware, then prompt (tricking) the user to execute it by displaying a fake Adobe Flash player update. If the operating system was not found to be Microsoft’s Windows, a message would have been displayed, changing the contents of the current website (a method called website defacement). Because of the bug, the operating system was not properly detected in most cases and displayed only the message.
Jcry ransomware – test findings
Once executed, the ransomware immediately starts encrypting user files. It is also very fast, it managed to encrypt all our test files in under 4 minutes. It appends the “.jcry” extension to the encrypted files. The attack uses multiple executables to launch the attack, encrypt and decrypt (if the ransom is later paid). At the end of the encryption process, drops some ransom notes and opens the command line decryptor. The criminals demand $500 worth of Bitcoin to recover the files.
Jcry ransomware vs Ranstop – test results
All executables involved in the encryption process are stopped by Ranstop, while also being quarantined. Quarantining these files prevents them from running again on the same PC, e.g. after a restart. This automatic process is especially valuable in the case of JCRY, which copies itself in the startup folder of the user at the beginning of the attack.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.