JNEC.a Ransomware Spread by WinRAR Ace Exploit

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055
A new ransomware called JNEC.a spreads through an exploit for the recently reported code execution ACE vulnerability in WinRAR. After encrypting a computer, it will generate a Gmail address that victims need to create in order to receive the file decryption key once they pay the ransom.

Once executed, the ransomware encrypts data on the computer and appends the .Jnec extension to the file’s original one. The price for the decryption key is 0.05 bitcoins (about $200).

The interesting part is that the malware author chose an unusual method to deliver the file decryption keys. The ID number unique for each affected computer represents a Gmail address for the delivery of the key.

Although the address is available in the ransom note, it is not registered yet. This task falls in the hands of the victim if they want to recover their files after paying the ransom.

JNEC_a_ransom-note.png


Just to make sure that the victims understand how they can recover their data, the malware author also provides clear instructions about creating specific Gmail address; these are available in a JNEC.README.TXT ransom note that the ransomware drops on an infected computer.

picturemessage_t02loz0d_xwb.png


Researchers at Qihoo 360 Threat Intelligence Center spotted in the wild an archive called “vk_4221345.rar” that delivers JNEC.a when its contents are extracted with a vulnerable version of WinRAR, which is all of them released over the past 19 years, save build 5.70 and newer.
Warning!!!Possibly the first #ransomware (vk_4221345.rar) spread by #WinRAR exploit (#CVE-2018-20250). The attacker lures victims to decompress the archive through embedding a corrupt and incomplete female picture. It renames files with .Jnec extension.
— 360 Threat Intelligence Center (@360TIC) March 18, 2019
 

codswollip

Level 23
Content Creator
Well-known
Jan 29, 2017
1,201
So any ace-unarchiver is affected? Not specific to old WinRAR versions... It helps to be clear, lest users of other archive apps think they are secure.
 
  • Like
Reactions: shmu26

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top