Jkwerlo Ransomware
Jkwerlo is identified as an unsafe program falling under the category of ransomware. Its primary functionality revolves around encrypting data and subsequently demanding payment in exchange for decryption. Unlike many other ransomware variants that typically alter the titles of locked files by appending extensions, Jkwerlo distinguishes itself by refraining from modifying the original names of the affected files. Upon completion of the encryption process, this particular ransomware generates a ransom note titled 'IMPORTANT_README.txt.' The note serves as a means for the attackers to communicate with the victim, outlining the terms and conditions for the ransom payment and providing instructions on how to proceed with the decryption process.
The Jkwerlo Ransomware Displays Sophisticated Harmful Functions
Jkwerlo stands out as a sophisticated ransomware strain, showcasing a level of complexity in its operations. Notably, it has been observed targeting users who communicate in Spanish and French. The attacks employ distinct infection chains, each characterized by varying levels of intricacy.
When infiltrating systems, Jkwerlo typically arrives in the form of a relatively compact executable, ranging from 5 to 6 megabytes, cleverly disguised with a PDF document icon. The malware heavily relies on PowerShell commands to carry out its threatening activities, exhibiting versatility in executing a range of commands.
One notable feature of Jkwerlo is its ability to terminate processes, particularly those associated with actively opened files, such as database programs and text file readers. By doing so, the ransomware strategically avoids encryption exemptions that may arise from files considered 'in use.' Furthermore, the program takes additional measures to enhance its impact, such as deleting the Shadow Volume Copies, eliminating a potential avenue for recovery.
In its quest for persistence and evasion, Jkwerlo modifies the Boot Configuration Data (BCD), disabling crucial security components like Microsoft Defender Antivirus, including Controlled Folder Access. Additionally, it attempts to delete the executables for Task Manager (Taskmgr.exe) and Resource Monitor (Resmon.exe), further complicating the mitigation and detection efforts for security professionals. This multi-faceted approach underscores the ransomware's sophistication and enhances the importance of robust cybersecurity measures to counteract its hurtful activities.
The Jkwerlo Ransomware Tries to Extort Ransom Payments from Its Victims
Jkwerlo's ransom note explicitly communicates that the files rendered inaccessible have undergone encryption, cautioning against any attempts at manual decryption due to the risk of rendering the data irretrievable. The key to recovering these files lies in the possession of the decryption key, a crucial component safeguarded by the attackers. To obtain this key, victims are compelled to make a ransom payment. Once the funds are transferred, the cybercriminals assure the delivery of decryption tools and accompanying instructions within a 24-hour timeframe.
Despite these promises, information security researchers emphasize the general impossibility of decryption without the direct involvement of the cybercriminals. Instances where decryption is feasible usually involve deeply flawed ransomware, which is a rarity.
Compounding the risks, victims often find themselves without the necessary keys or tools to decrypt their data, even after complying with ransom demands. Consequently, experts strongly discourage succumbing to these demands, emphasizing the lack of assurance in successful file recovery and the unintended support for criminal activities through ransom payments.
While removing the ransomware from the operating system is a necessary step to prevent further data encryption, it is essential to note that removal alone does not automatically restore files already affected. The recommended solution in such cases is to initiate file recovery from a previously created backup, provided one exists and is stored in a separate and secure location. This approach ensures a more reliable and effective means of data restoration without perpetuating the cycle of ransom payments and criminal activity.
The ransom note generated by the Jkwerlo Ransomware is:
'Your computer files have been encrypted. DO NOT TURN OFF THE MACHINE OR TRY TO MODIFY THE FILES! Please, don't try either to decrypt them without the proper key, this may result in an unrecoverable state. It's nearly impossible to guess the key, so do not spend time on it.
When the payment it's done you will receive the decrypter and the instructions to recover the files within 24 hours.
Contact to recover the files:'
The Spanish variant of the ransom note is:
'Hola,
Consulte la información vital que he compartido con usted mediante Google Drive.
Abra el archivo para ver los detalles.
Saludos.
AVISO DE CONFIDENCIALIDAD: Este correo electrónico y cualquier archivo transmitido son privados y confidenciales y son para uso exclusivo de los destinatarios a quienes está dirigido. Cualquier revisión, uso, divulgación, distribución o copia no autorizada de esta comunicación está estrictamente prohibida. Si recibió esta comunicación por error, elimínela y notifique inmediatamente al remitente a través de la dirección de devolución de correo electrónico. Gracias por su cumplimiento.
Por favor considere el medio ambiente antes de imprimir este e-mail.'
There is also a French-language variant of Jkwerlo's ransom note:
'Bonjour,
Veuillez vous référer aux informations vitales que j'ai partagées avec vous à l'aide de Google Drive.
Ouvrez le fichier pour afficher les détails.
Salutations.
AVIS DE CONFIDENTIALITÉ: Cet e-mail et tous les fichiers transmis sont privés et confidentiels et sont uniquement destinés à l'usage du(des) destinataire(s) auquel il est adressé. Toute révision, utilisation, divulgation, distribution ou copie non autorisée de cette communication est strictement interdite. Si vous avez reçu cette communication par erreur, veuillez la supprimer et en informer immédiatement l'expéditeur via l'adresse e-mail de retour. Merci pour votre conformité.
Pensez à l'environnement avant d'imprimer cet e-mail.'
