JNEC Ransomware
The JNEC Ransomware is an encryption ransomware Trojan that was first observed carrying out attacks on March 17, 2019. The JNEC Ransomware is being delivered to the victims via corrupted spam email attachments that entice computer users by offering access to nude pictures and pornographic material. When the victims attempt to access a password protected RAR file attached to this tactic, the JNEC Ransomware will be installed and compromises the victims' files.
How the JNEC Ransomware Attack Works
The JNEC Ransomware executes a typical encryption ransomware attack, using a strong encryption algorithm to make the victim's files inaccessible and then demanding a ransom payment from the victim. The JNEC Ransomware seems to target both English and Russian speakers, based on the social engineering tactic used to distribute the JNEC Ransomware. Once the JNEC Ransomware is installed, it will use a bad script that exploits a known vulnerability in WinRAR (CVE-2018-20250), which allows the criminals to deliver the JNEC Ransomware Trojan. Once installed, the JNEC Ransomware uses a strong encryption algorithm to encrypt the user-generated files, which may include files with the following extensions:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
The JNEC Ransomware attack marks the files targeted by its attack with the file extension '.Jnec' added to each affected file's name. The JNEC Ransomware delivers its ransom note in a text file named 'NEC.README.TXT' on the infected computer's desktop. The JNEC Ransomware also opens a program window with the name 'JNEC.a.' The following are the ransom messages that the JNEC Ransomware delivers in its text note and program window ransom notes:
'INFO
Encrypted files: [number of encrypted objects]
Deposit amount: 0.05 BTC
Your email: SMPe83MJSnjF@gmail.com
Create this mailbox to get the decryption key, as soon as the payment arrives we will contact you from 2rlcDRLVp5iR@gmail.com'
BTC address for pay 1JK1gnn4KEQRf8n7pH7iNvmV8WXTfq7kVa'
Dealing with the JNEC Ransomware and Protecting Your Data from Threats Like It
The JNEC Ransomware's ransom demand should be disregarded. Unfortunately, after the JNEC Ransomware attacks a computer, it is not possible to decode any files that have been encrypted, and paying the ransom does not, in any way, ensure that the criminals responsible for the JNEC Ransomware attack will deliver the decryption key. Instead, it is crucial that computer users take steps to protect their data preemptively. The best protection against these threats is to have backup copies of all files. This allows computer users the capability to restore any data encrypted by the JNEC Ransomware without having to consider contacting the criminals. Apart from file backups, malware researchers strongly advise computer users to have a strong security program that is fully up to date.
