JNEC.a Ransomware Spread by WinRAR Ace Exploit (Mar 18, 2019)
Threat actors have been observed exploiting the WinRAR vulnerability registered as "CVE-2018-20250." Actors are incorporating the vulnerability in a new ransomware called "JNEC.a." The ransomware was identified to infect a machine via the WinRAR vulnerability. The actors behind the malware request .05 bitcoins (approximately $199.97 USD) from a user who has had their files encrypted and appended with the ".Jnec" extension. Interestingly, the actors use a unique ID for each infected machine to generate a Gmail account for the individual to use that the actors claim the decryption key will be sent to. The ransom notes shows the Bitcoin ransom amount, the Bitcoin wallet address to make the payment, number of encrypted files, and the unique Gmail address. Qihoo 360 Intelligence researchers found a .rar archive in the wild that contained the ransomware, it is likely that this is the distribution method for JNEC.a.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.