A new, menacing form of ransomware has been uncovered by Sophos - JS/Ransom-DDL
Like all ransomware
JS/Ransom-DDL encrypt files and demands payment to unlock. However,
JS/Ransom-DDL installs additional password stealing malware after the
ransom has been paid.
JS/Ransom-DDL isn't a file to be downloaded but becomes active as
soon as it gains access to the network. It takes advantage of the power and ubiquitous nature of Javascript to exploit Windows users, hiding itself as a text file to avoid detection.
JS/Ransom-DDL immediately connects with the server
controlled by the cyber-criminals to provide an encryption key.
The server replies
with a uniquely-generated identifier and a randomly-created AES
encryption key – victims cannot share/reuse encryption keys.
JS/Ransom-DDL then proceeds to encrypt the data, once the process is complete a README document informs the user how to regain access to their files.
Victims are made to purchase the AES key to unscramble their data. The last figure was 0.39 BTC ($250).
How to Avoid:
Configure Windows to show file extensions - it will expose javascript files posing as something other.
Configure Windows to open JavaScript files with Notepad, not with WSH (Windows Script Host). This displays .JS files harmlessly as text rather than running them as programs.
Other threats:
0 comments:
Post a Comment