JungleSec Ransomware Infects Victims Through IPMI Remote Consoles
(Dec 26, 2018)
The ransomware called "JungleSec," which was first identified in November 2018, has been found to be infecting users through unsecured Intelligent Platform Management Interfaces (IPMIs), according to BleepingComputer reporters. Victims of the ransomware told reporters that their Linux servers were infected with JungleSec via "unsecured IPMI devices." IPMI devices are used by IT administrators to remotely access a machine. Prior to IPMIs being utilized as the initial infection vector, it was unknown how targets were being infected, including for Mac and Windows machines as well. Improperly configured and unsecured IPMIs were observed to be utilized by unknown threat actors to install the ransomware onto a machine. If a machine is infected, the user will be presented with a ransom note that demands 0.3 bitcoins ($1,119 USD) to decrypt files.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place, in addition to a business continuity policy. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs because it does not guarantee retrieving the encrypted files back. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.