JSWorm Ransomware is a well known ransomware malware that has been seen in the wild for years and has been discovered updated to version 4. After it performs file encryption, it will append “.[Generated ID][Contact Email].JSWRM” as file extension to the encrypted file and display the ransom note in Figure 2 below to the victim.
Figure 1: Encrypted files by JSWorm Ransomware.
Figure 2: Screenshot of the ransom note
Other than that, similar to other variants of ransomware, it will set persistence on start up by adding registry keys, perform task kill on processes to ensure the encryption of files such as database program (SQL server), perform the deletion of volume shadow copies, and disable Windows automatic startup repair to ensure all the data cannot be restored easily.
While this is a new version of JSWorm, it is blocked and detected by existing policies within Carbon Black products. To learn more about further ransomware behavior, detection and protection capabilities within the Carbon Black suite of products against JSWorm ransomware, you may refer to the following blog post:
Behavioral Summary
CB Defense will display the malware’s overall triggered TTPs.
Indicators of Compromise (IOCs)
|
Indicator |
Type |
Context |
|
46761b8b727f3002d1c73fa6c8568ebcf2ec0066666251f66dcda9d4268e03e8 c669320b97f2c124307c3e8ae2e9206d |
SHA256 MD5 |
JSWorm Ransomware |
The post CB TAU Threat Intelligence Notification: JSWorm Ransomware Encrypts Files, Amends File Extensions appeared first on Carbon Black.