Yoroi-Cybaze ZLab: Cybercrime updated JSWorm ransomware to version 4
JSWorm ransomware has been updated by cybercrime to version 4. Yoroi-Cybaze ZLab cyber security experts analyzed it to understand how it’s work. The malware encrypts all the user files appending a new extension to their name. Unlike other rsimilar malicious codes, the extension is composed by many fields, reporting the information the user needs to move on the ransom payment phase. These fields are the same shown in the ransom note, that are: “Filename.originalExtension.[Infection_ID][Attacker_email].JSWRM”. Moreover, in the ransom note there is also a backup email, “firstname.lastname@example.org”, to ensure availability in case of blacklisting. To ensure the correct machine functionalities, it excludes from the encryption phase several system directories (Windows, Perflogs) and junction points. Also, for each encountered file, the malware compares it with the excluded paths and if they match, a conditional jump is taken.
The cyber security experts: The malware uses a set of extensions to exclude during the cipher step. It encrypts all the files whose extension is not present in the list
According to the cyber security experts, unlike most ransomware, JSWorm does not embed a list of file extensions to encrypt, but uses a set of extensions to exclude during the cipher step. The cybercrime malware encrypts all the files whose extension is not present in the list. During the encryption phase, JSWorm writes a suspicious file named “key.Infection_ID.JSWRM” in “C:\ProgramData”. It contains the AES key used to encrypt the files. Moreover, to maximize the impact of the encryption phase, the ransomware deletes the shadow copies and other system restore points automatically created by Windows; kills some processes related to common programs, like SQL server, to proceed with the encryption of the files on which these programs were operating, and adds a registry key to the autorun path to show the ransom note window also after a system reboot.
Maybe the authors could be Russians
The analyzed case by Yoroi-Cybaze ZLab has features in common with most ransomware like encryption scheme, the deletion of shadow copy and persistence. About the encryption scheme, the JSWorm uses an AES key generated starting from an embedded Base64 seed which is converted into a byte array through CryptStringToBinaryA API. It is very common to find malware relying on this library (CryptoAPI) for cryptographic task mainly for reliability and for reducing time for development. Another interesting element is the presence of a mutex containing the string “kto prochtet tot sdohnet =)” in Russian language. This leads researchers to think that the authors could have Russian hands. Obviously, this could also be a false flag, but the Russian underground have a long tradition in such kind of cyber-crime activities.
Photo Credits: Yoroi