Phone : +91 95 8290 7788 | Email : sales@itmonteur.net

Register & Request Quote | Submit Support Ticket

Home » Cyber Security News » New JobCrypter ransomware variant captures screenshots of infected devices

New JobCrypter ransomware variant captures screenshots of infected devices

Security researchers have discovered a new variant of the two-year-old JobCrypter ransomware that now features an additional encryption layer and a much longer decryption key, making it more powerful and difficult to evade compared to its earlier variants.

While analysing the ransomware, researchers at Trend Micro also observed that it features the ability to send a screenshot of a targeted device to an email address via SMTP and can even change the wallpaper of infected devices to include a ransom note as well as a display box containing details of ransom demands and instructions.

“Once it finds a file, it encodes all the file’s content to Base64 and encrypts the encoded content with Triple DES algorithm, and then encodes the encrypted file again to Base64. It also prepends the ransom note with the encrypted file instead of dropping another file in the system as most ransomware routines do before it finally deletes the original file in the drive.

“The ransom note demands a payment of €1,000 within 24 hours to get the decrypter. The key is made of 67 digits of random numbers between 0 to 9 – found in the registry and body of the sent email – but is deleted by the malware itself during encryption of the files,” they noted in a blog post detailing the ransomware’s traits.

Commenting on the discovery of JobCrypter’s new and more powerful variant, Roy Rashti, cyber-security expert at BitDam, told SC Magazine UK that the earlier variant of JobCrypter wasn’t among the most potent ones of its time as it decrypted files with a relatively weak 20-character decimal key which made it conducive to brute-force attack methods.

The original ransomware also displayed several predictable behaviours which made it easy for security professionals to assess the source of the random function which, in turn, made it possible to discover the encryption key in about 10 seconds.

“In the new version, the attackers have significantly improved the encryption method using the Triple DES algorithm and longer keys,” Rashti added.

Despite such improvements, the new JobCrypter variant does have an Achilles heel after all. According to researchers at Trend Micro, the 67-digit decryption key required by victims to recover their files is initially stored in the registry and body of the sent email before it is deleted by the malware itself during encryption of the files.

“Since the key used in encrypting the files was in the system prior to deletion, decryption is possible. Experienced cybersecurity practitioners will notice and know that while the routine is unconventional, the ransom note always ends in “;” and is prepended before the encrypted file content, making it possible to recover important data files,” they added.

Rashti added that there are more tell-tale signs of the presence of the ransomware before it starts encrypting files stored in targeted devices. The ransomware is usually stored in zip files or business folders that serve as attachments to phishing or spam emails sent to targeted individuals or businesses.

By deploying advanced threat protection solutions that can detect sophisticated threats as well as a reputed endpoint solution, victims of ransomware attacks can prevent their devices from getting infected by the new variant. Considering that the ransomware initially stays dormant and only registers itself to run after a reboot, targeted businesses and individuals will need to be alert at all times to spot/preempt its arrival.   

According to Martin Jartelius, CSO at Outpost24, a simple and easy ways to decrease impact is to ensure that users have write access only where needed, that local users are not administrators on their devices and that the system does not execute software from the temporary internet files or temporary email file folders.

“The most important steps users can take is ensuring that their systems are up-to-date, and they have endpoint protection software with the latest definitions installed. AV vendors and independent researchers are constantly finding and reporting new strains of malware, and it’s critical to stay on top of updates to ensure you remain protected from emerging threats. It is also important to take regular, full backups to ensure your data is protected in case of disaster,” says Ben Schmidt, CSO at PolySwarm.

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

 

 

 

 

 

 

 

 

 

 

 

 

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Sales Number : +91 95 8290 7788 | Support Number : +91 94 8585 7788
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket