[SI-LAB] #OpJerusalem 2019 – JCry ransomware is now infecting Windows users

Over the last few days, a new ransomware campaign infected several users around the world as part of the #OpJerusalem campaign.

SI-LAB analyzed this malware and noticed that it does not use sophisticated techniques. Criminals used UPX packer to protect malware code written in Go and a RSA public certificate is hardcoded inside malware to encrypt all user’s target files. This finding results in a simple “key” to encrypt all the infected victims. This means that a unique RSA private key can be used to decrypt all the files as well.

Jcry is a recent ransomware written in Go which increases its analysis. Criminals have been concerned about protecting their code, however the UPX packer can be easily overcome by allowing a more efficient threat analysis.

It’s also important to note that every time malware runs, a new unique key is generated. However, the RSA public key used to encrypt the target files is static and hardcoded inside ransomware.

By getting this private key, files of each infected users can be recovered – since the key to decrypt the files is also unique.

The new ransomware dubbed JCry (extension used to rename encrypted files .jcry) is part of the OpIsrael 2019 — an annual coordinated cyber attack against the Israeli government and private websites created with the stated goal of “erasing Israel from the Internet” in protest against the Israeli government’s conduct in the Israel-Palestine conflict.

Criminals have used common attack vectors in the past, such as website defacements and denial-of-service distributed attacks (DDoS). On April 7th, 2013, for instance, the most successful attack executed by Anonymous group using data leakage and DoS conditions against a huge number of Israeli websites was noted.

According to media (see this link), since the attack in 2013, the number of participants and supporters is decreasing.

Figure 1: #OpIsrael Participants statistics.

This time, a new attack is ongoing and is targeting private websites. The attacks happen one month before the common data of the campaign.

Last weekend, hundreds of popular Israeli websites were targeted by a cyber attack called #OpJerusalem. This attack has the goal of infecting Windows users with the JCry ransomware. In this case, the attack vector used to distribute the ransomware are defaced websites.

To carried out this attack, crooks modified the DNS record of a popular web accessibility plugin from nagich[.]com. When users access a website using that plugin, a malicious script is loaded instead of the legitimate plugin.

Ido Naor, Principal Security Researcher at Kaspersky Lab, was who share this threat on Saturday, March 2nd, at VirusBay.