A new ransomware called JNEC.a is spreading through an exploit for the vulnerability in WinRAR’s recently reported ACE code execution. It will generate a Gmail address after encrypting a computer that victims need to create to receive the decryption key of the file once they pay the ransom.
The ransomware encrypts data on the computer once it has been executed and adds the. Jnec extension to the original one of the file.
The decryption key price is 0.05 bitcoins (approximately $200). The interesting part is that an unusual method was chosen by the malware author to deliver the decryption keys for the file. The unique ID number for each affected computer represents a key delivery Gmail address.
Although the ransom note contains the address, it is not yet registered. This task falls into the victim’s hands if after paying the ransom they want to recover their files.
Just to make sure victims understand how to get their data back, the malware writer also gives clear instructions for creating a specific Gmail address, which can be found in JNEC.README.TXT, and the ransomware drops on an infected computer.
The Qihoo 360 Threat Intelligence Center researchers have detected a wild archive called “vk 4221345.rar” providing JNEC.a when its contents are extracted with a vulnerable WinRAR version, which is all released over the past 19 years.
JNEC.a is written in. NET, and the contents of the rigged archive are extracted. There is a corrupt image of a girl inside that triggers and errors when decompressed and shows an incomplete image.
The error and the fragment of the picture make everything look like a technical fault, so the user is not going to give it another thought. The ransomware is added to the system, however. The exploit of WinRAR allows the author to drop the malware in the Windows Startup folder, so it will deploy on the next login.
The author named it “GoogleUpdate.exe” to hide its presence, so it is easily mistaken for the process of updating Google. It is not difficult to exploit the vulnerability of WinRAR.
Warning!!!Possibly the first #ransomware (vk_4221345.rar) spread by #WinRAR exploit (#CVE-2018-20250). The attacker lures victims to decompress the archive through embedding a corrupt and incomplete female picture. It renames files with .Jnec extension.https://t.co/MHNgHw7zAI pic.twitter.com/Tn5SoXht2A
— 360 Threat Intelligence Center (@360TIC) 18 March 2019
After Check Point published its flaw analysis, the proof-of-concept code was published online. Shortly afterwards, a script appeared on GitHub that automated the creation of a malicious archive using arbitrary payloads. Last week McAfee reported that more than 100 unique exploits were identified in the week following the vulnerability disclosure and the number continued to grow.
34 antivirus engines detect JNEC.a as a threat at the moment of writing. The ransomware encrypts all of the files, which might be why we watched them move slowly during our tests.
The Bitcoin Wallet Ransom shows 12 transactions, but it does not seem that any of them belongs to the victim because October 2018 was the most recent incoming payment.
The balance is 0.05738157 BTC at the moment of writing, which converts to $229.
Hashes:
RAR Archive: 551541d5a9e2418b382e331382ce1e34ddbd92f11772a5d39a4aeb36f89b315e
Ransomware: d3f74955d9a69678b0fabb4cc0e298fb0909a96ea68865871364578d99cd8025
Files:
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdate.exe
