CB TAU Threat Intelligence Notification: JCry Ransomware Pretends to be Adobe Flash Player Update Installer

2019-05-14T15:48:59
ID CARBONBLACK:F8DA31190B79D1AFD0043573D31158FE
Type carbonblack
Reporter Ryan Murphy
Modified 2019-05-14T15:48:59

Description

JCry is a new family of ransomware that has the unique characteristic of being written in the Go programming language and being delivered as multiple executables, each with their own purpose. It was pretending to be an Adobe flash player update installer on a compromised website to lure users to click for the execution. In addition, it will append “.jcry” as file extension to the encrypted files and drops ransom note named as “JCRY_Note.html”.

j1.png__

Figure 1: Screenshot of the ransom note “JCRY_Note.html”

j2.png__

Figure 2: Go Build ID and library strings of Go programming language was found in the ransomware

This post serves to inform our customers about detection and protection capabilities within the Carbon Black suite of products against JCry ransomware.

Behavioral Summary

Once the user clicks on the fake Adobe Flash Player installer, it will extract/create the following malicious payload into the Startup directory to maintain its persistence:

  • Enc.exe
  • Dec.exe
  • Msg.vbs
  • PersonalKey.txt

The execution of msg.vbs will display the following message to impersonate user the access to update Adobe Flash Player was denied.

j3.png__

Figure 3: Screenshot of message by msg.vbs

At the same time, Enc.exe will start the encryption routine and append “.jcry” as file extension to the encrypted file. After the encryption of file, it will delete shadow copies with the command “vssadmin delete shadows /all” to ensure that all the data cannot be restored easily.

Then, it will launch Dec.exe using PowerShell with the command “cmd.exe /c powershell -WindowStyle Hidden Start-Process Dec.exe -WindowStyle maximized”.

“Dec.exe” is a console application that will display ransom note and prompt the user to enter decryption key for decrypting files as shown in the following screenshot. Upon execution, it will terminate and delete Enc.exe.

j4.png__

Figure 4: Screenshot of the content from Dec.exe

Below are the process chart and events from CB ThreatHunter showing that JCry ransomware has encrypted files and appended ‘.jcry’ as the file extension.

j5.pngj6.png

In addition, CB Defense will display the malware’s overall triggered TTPs.

j7.pngj8.png

If you are a Carbon Black customer looking for more information on how to defend against this attack, click here.

MITRE ATT&CK TIDs

TID

|

Tactic

|

Description

---|---|---

T1204

|

Execution

|

User Execution: Ransomware pretending as fake update of Adobe Flash Player on compromised website to lure user click/download for execution.

T1064

|

Defense Evasion, Execution

|

Scripting: It creates and execute a VBS script on startup folder

T1022

|

Exfiltration

|

Data Encrypted: Ransomware to encrypt data

T1059

|

Execution

|

Command-Line Interface: Cmd will invoke PowerShell to execute a payload

T1086

|

Execution

|

PowerShell: PowerShell was used to execute a payload.

T1107

|

Defense Evasion

|

Shadow Copy Deletion by WMIC Or VSSAdmin

Indicators of Compromise (IOCs)

Indicator

|

Type

|

Context

---|---|---

d7e118a3753a132fbedd262fdf4809a76ce121f758eb6c829d9c5de1ffab5a3b

c86c75804435efc380d7fc436e344898

|

SHA256

MD5

|

JCry Ransomware

22488abddbd4a61bb32bb7c2883b56e2f97541f85125f8d4c1593f65853a1d48

5b640be895c03f0d7f4e8ab7a1d82947

|

SHA256

MD5

|

JCry Ransomware

f2f4323df1a065cde9269b1c801fa912b296e36d08452e038778ba16b05dcba9

6B4ED5D3FDFEFA2A14635C177EA2C30D

|

SHA256

MD5

|

JCry Ransomware

hxxp://kpx5wgcda7ezqjty[.]onion

|

URL

|

JCry ransom payment url

The post CB TAU Threat Intelligence Notification: JCry Ransomware Pretends to be Adobe Flash Player Update Installer appeared first on Carbon Black.