Dissecting the .java file ransomware

When a ransom Trojan infects a computer, things get out of hand due to severe impact upon the victim’s personal data. Some ransomware samples are crude and can be cracked. Some, however, utilize the crypto flawlessly and pose a serious risk of data loss. The CrySiS/Dharma ransomware family is definitely in the latter category. Its latest variant subjoins the .java extension to encrypted files and is just as competently coded as all the previous spinoffs.

Whereas mainstream blackmail infections make the rounds via phishing emails with malicious attachments, the .java file version of CrySiS goes a different route. It is executed on target computers manually. How is that possible? The architects of this extortion campaign zero in on systems with poorly secured remote desktop services. In other words, they brute-force RDP passwords and thus take root on such machines, being able to deposit arbitrary binaries and run commands remotely.

After the contamination has taken place, the baddie performs a lookup for potentially valuable data on the computer. Then, it encrypts all the spotted items and modifies the filenames in a peculiar way, adding the victim ID, the attacker’s email address and the .java suffix to them. To let the user know what exactly has happened, the pest drops a combo of ransom notes onto the desktop. One of them is named ‘Files Encrypted.txt’, and the other is Info.hta. The HTA file is configured to pop up automatically each time the PC boots up.

These notes tell the victim to send an email to the crooks and indicate the unique ID in it. The perpetrators will send back the information on ways to regain access to crippled files. Specifically, the user is supposed to pay a ransom in Bitcoin, the amount being worth hundreds of US dollars.

Given the whole danger emanating from the .java file ransomware, it is highly recommended to focus on avoiding it. To this end, users should secure their RDP connections as reliably as possible. Another invaluable tip is to maintain backups of the most important data so that an attack like that doesn’t cause any significant harm.

For more on us see: About MalwareCheck.org | For more ways to beat the cyber threat see our reference to Online Security Tools

Copyright © 2018 MalwareCheck.org, All rights reserved.