depe

JSWORM 3.1 encrypted my data

Recommended Posts

Hi,

 

 A new version on JSWorm encrypted my data. 

The attached info is a hta file with the text : JSWORM 3.1

Thank you 

 

All your files were encrypted!

All your files have been encrypted due to a security problem with your OC. If you want to restore them, write us to the e-mail: [email protected]

Write this unique identificator in the title of your message: 1592098033

In case of no answer in 24 hours write us to this e-mail:

You have to pay for decryption in Bitcoins. The price depends on how fast you write us. After payment we will send you the decryption tool that will decrypt all you files.

Free decryption as proof!

Before paying you can send us 1 file for free decryption. The total size of file must be less than 1MB (non-archived)

and files shouldn't contain valuable information (databasesm backupsm large excel sheets, etc)

Share this post


Link to post
Share on other sites

Hello

Archive the original .hta file and attach to your post.
Attach an archive with several encrypted files.
If there is another note in text format, then also attach it to your message.

Share this post


Link to post
Share on other sites

hah, I've decrypted 2 files. check

7 hours ago, lochesistemas said:

forgot to enable replies. please help!

 

Share this post


Link to post
Share on other sites
9 hours ago, lochesistemas said:

so, where's the decryptor?

write e-mail ***************

Edited by GT500
Removed e-mail address.

Share this post


Link to post
Share on other sites

that is the email address for paying the ransom. we are rebuilding the machine anyway because we have all backed up. I'm here to contribute for not paying you nor anyone else.

Share this post


Link to post
Share on other sites
5 minutes ago, lochesistemas said:

so you are the guy that created the ransomware.. alright.. did you get the access via rdp? can you login now?

my work to create. others work to infect

Share this post


Link to post
Share on other sites
10 hours ago, jsworm said:

hah, I've decrypted 2 files. check

Why don't you decrypt all of their files? Might it be because you're a criminal?

 

17 hours ago, lochesistemas said:

Hi. I have a customer that got just infected with hta note. Tried the 2.0 but hta is not supported so I suspect the decrypter wont work.

We have a sample of this version of JSWorm, and our malware analysts are working on breaking it's encryption. Hopefully it won't be too much longer before we can update the decrypter. ;)

Share this post


Link to post
Share on other sites
12 hours ago, lochesistemas said:

did you get the access via rdp?

While you're waiting for the decrypter to be updated, here's some basic steps that can be taken to help prevent this kind of thing from happening again:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

This was a brand new customer where previous technicians never mentioned about rdp exploits and I warned them last week.. they had been using it for the last 4 years.... oh the irony..  They are now using rdp over ssl

Share this post


Link to post
Share on other sites
6 hours ago, lochesistemas said:

They are now using rdp over ssl

I hope you mean SSH. ;)

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

I hope you mean SSH. ;)

no. rdp over ssl.. using https with MFA, you can get access in a secure way to the remote server. and it's easier for users also!

Share this post


Link to post
Share on other sites
9 hours ago, lochesistemas said:

no. rdp over ssl.. using https with MFA, you can get access in a secure way to the remote server. and it's easier for users also!

I highly recommend running RDP over SSH or VPN, keeping the SSH and/or VPN port closed globally, and only opening ports for authorized IP addresses. Many corporate firewalls these days support technologies such as Single Packet Authorization or Port Knocking to open ports for dynamic IP addresses, so this kind of configuration should be possible for anyone who needs to connect.

No matter how much protection you slap on top of it, it is far too dangerous to leave RDP exposed to the Internet. There have been too many security vulnerabilities in RDP in the past few months that allowed for bypassing security for it to be considered safe to expose RDP directly to the Internet.

Share this post


Link to post
Share on other sites
10 hours ago, lochesistemas said:

no. rdp over ssl.. using https with MFA, you can get access in a secure way to the remote server. and it's easier for users also!

To second @GT500, have you heard of a little something called CVE-2019-0708? It's literally an exploit that doesn't require even logging in, completely bypassing MFA... it's not the first such exploit recently, nor will it likely be the last. Good that you have MFA, but seriously put it behind VPN.

Edited by GT500
Added link for news explaining CVE-2019-0708.

Share this post


Link to post
Share on other sites
21 hours ago, Demonslay335 said:

To second @GT500, have you heard of a little something called CVE-2019-0708? It's literally an exploit that doesn't require even logging in, completely bypassing MFA... it's not the first such exploit recently, nor will it likely be the last. Good that you have MFA, but seriously put it behind VPN.

rdp over ssl is secure as vpn or ssh. Port 443 is opened only! https://www.itpromentor.com/secure-rds/

Share this post


Link to post
Share on other sites
3 hours ago, lochesistemas said:

I hope you didn't follow the advise in that article. Configuring an IP on your network as a DMZ exposes all ports on that system to the Internet, and nullifies any security the firewall in the router may have been providing.

If you want to isolate one of more systems from other computers/devices on your internal network, then use VLANs, and use a VPN to hide/protect remote connections. You'll save yourself (and your clients) a lot of grief.

 

3 hours ago, lochesistemas said:

rdp over ssl is secure as vpn or ssh. Port 443 is opened only!

So someone connects to port 443 (which is HTTPS BTW), and then attempts to exploit RDP. All they have to do is a port scan to see it's open and that it's RDP.

BTW: The latest version of SSL was depricated in June 2015 by RFC 7568.

Share this post


Link to post
Share on other sites

no.. it's not port forwarding nor dmz..  it's just a website using ssl where you have to log on (and add MFA). Once you are logged in, you can open applications such as MS Word or any app installed in Windows Server. RDP is never opened. Only port 443 pointing to an IIS Server is opened like a regular website

Share this post


Link to post
Share on other sites

If RDP isn't secure, then is Microsoft's web-based alternative secure?

Share this post


Link to post
Share on other sites
23 hours ago, lochesistemas said:

plain RDP is extemely insecure. SSL is,secure. Therefore, using RDP over SSL is secure! And add MFA in the middle!

SSL is not secure. TLS 1.2 and newer are secure.

Also, SSL and TLS are not intended to secure the connection point, but rather to prevent snooping on an active connection. SSL and TLS will not protect your RDP server from attack.

MFA is nice, but it will not prevent the exploitation of security vulnerabilities that bypass RDP security. The only way to prevent that is to prevent any outside access to RDP whatsoever. Restricting which IP addresses can access the port is also highly recommended.

Share this post


Link to post
Share on other sites
19 hours ago, depe said:

I have any chance to decrypt the files?

I've asked how the update to our decrypter is coming. From what I'm seeing, it looks like analysis of this new variant is still in progress.

Share this post


Link to post
Share on other sites

Not yet, but decryption of 3.0 is coming soon. The idiot who coded it has an annoying bug that corrupts many files that we have to overcome.

  • Thanks 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.