Security researchers have discovered a new variant of the two-year-old JobCrypter ransomware that now features an additional encryption layer and a much longer decryption key, making it more powerful and difficult to evade compared to its earlier variants.
While analysing the ransomware, researchers at Trend Micro also observed that it features the ability to send a screenshot of a targeted device to an email address via SMTP and can even change the wallpaper of infected devices to include a ransom note as well as a display box containing details of ransom demands and instructions.
"Once it finds a file, it encodes all the file’s content to Base64 and encrypts the encoded content with Triple DES algorithm, and then encodes the encrypted file again to Base64. It also prepends the ransom note with the encrypted file instead of dropping another file in the system as most ransomware routines do before it finally deletes the original file in the drive.
"The ransom note demands a payment of €1,000 within 24 hours to get the decrypter. The key is made of 67 digits of random numbers between 0 to 9 – found in the registry and body of the sent email – but is deleted by the malware itself during encryption of the files," they noted in a blog post detailing the ransomware's traits.
Commenting on the discovery of JobCrypter's new and more powerful variant, Roy Rashti, cyber-security expert at BitDam, told SC Magazine UK that the earlier variant of JobCrypter wasn't among the most potent ones of its time as it decrypted files with a relatively weak 20-character decimal key which made it conducive to brute-force attack methods.
The original ransomware also displayed several predictable behaviours which made it easy for security professionals to assess the source of the random function which, in turn, made it possible to discover the encryption key in about 10 seconds.
"In the new version, the attackers have significantly improved the encryption method using the Triple DES algorithm and longer keys," Rashti added.
Despite such improvements, the new JobCrypter variant does have an Achilles heel after all. According to researchers at Trend Micro, the 67-digit decryption key required by victims to recover their files is initially stored in the registry and body of the sent email before it is deleted by the malware itself during encryption of the files.
"Since the key used in encrypting the files was in the system prior to deletion, decryption is possible. Experienced cybersecurity practitioners will notice and know that while the routine is unconventional, the ransom note always ends in ";" and is prepended before the encrypted file content, making it possible to recover important data files," they added.
Rashti added that there are more tell-tale signs of the presence of the ransomware before it starts encrypting files stored in targeted devices. The ransomware is usually stored in zip files or business folders that serve as attachments to phishing or spam emails sent to targeted individuals or businesses.
By deploying advanced threat protection solutions that can detect sophisticated threats as well as a reputed endpoint solution, victims of ransomware attacks can prevent their devices from getting infected by the new variant. Considering that the ransomware initially stays dormant and only registers itself to run after a reboot, targeted businesses and individuals will need to be alert at all times to spot/preempt its arrival.
According to Martin Jartelius, CSO at Outpost24, a simple and easy ways to decrease impact is to ensure that users have write access only where needed, that local users are not administrators on their devices and that the system does not execute software from the temporary internet files or temporary email file folders.
"The most important steps users can take is ensuring that their systems are up-to-date, and they have endpoint protection software with the latest definitions installed. AV vendors and independent researchers are constantly finding and reporting new strains of malware, and it's critical to stay on top of updates to ensure you remain protected from emerging threats. It is also important to take regular, full backups to ensure your data is protected in case of disaster," says Ben Schmidt, CSO at PolySwarm.