Threat Database Ransomware JSWorm Ransomware

JSWorm Ransomware

The JSWorm Ransomware is an encryption ransomware Trojan. The JSWorm Ransomware seems to be related to the GlobeImposter and other ransomware Trojans designed to mimic threats known more widely. The JSWorm Ransomware was first observed on January 24, 2019, and seems to carry out an encryption ransomware Trojan attack that is typical of these threats.

How the JSWorm Ransomware Trojan Enters a Computer

The JSWorm Ransomware seems to be delivered to the victims via corrupted Microsoft Office documents, often containing embedded macro scripts that download and install the JSWorm Ransomware onto the victim's computer. Once the JSWorm Ransomware has been installed, it scans the victim's computer for the user-generated files and encrypts them with the AES encryption to make them inaccessible, essentially taking the encrypted files hostage. The following are examples of the files that the JSWorm Ransomware targets in these attacks:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar

The JSWorm Ransomware attack marks the damaged files with the file extension '.JSWORM' added to the affected file's name. The JSWorm Ransomware also will target files on external memory devices connected to the infected computer. Once the JSWorm Ransomware has encrypted the victim's data, it will demand a ransom payment to restore the affected files. The JSWorm Ransomware delivers its ransom demand in a text message that reads as follows:

YOUR PID:[random characters]
Email us
Write your ID at title of mail and country at body of mail and wait answer.
You have to pay some bitcoins to unlock your files!
If you try to unlock your files. you may lose access to them!
No one can guarantee you a 100% unlock except us!
How to buy bitcoin'

Computer users are instructed to ignore the JSWorm Ransomware ransom note and to refrain from making any ransom payment.

Dealing with the JSWorm Ransomware

Unfortunately, once the JSWorm Ransomware has encrypted the targeted files, they are no longer recoverable. This is why prevention is essential to limit the damage caused by encryption ransomware Trojans like the JSWorm Ransomware. The best preventive measure is to have backup copies of your data and store them in an offline location such as an external memory device or an unsynched cloud service. If there are backups available, then computer users can recover from attacks like the JSWorm Ransomware by simply deleting the JSWorm Ransomware infection with a security program and then restoring any compromised data by copying it from the backup copies.

Update on 05-24-2019 - JSWorm 2.0 Ransomware

The developers of the JSWorm Ransomware have been updating their Trojan since its discovery in January 2019. The first update was in April 2019, was named JSWorm 2.0 Ransomware and didn't included any new feature. However, in May 2019, they decided to keep the same name, JSWorm 2.0 Ransomware but changed the file extension that is added to the damaged files to '[ID-XXXXXXXXX][].JSWORM' and the ransom note gained a new format, .text and was named JSWORM-DECRYPT.txt.

System files are not among the files that the JSWorm 2.0 Ransomware encrypts. However, the JSWorm 2.0 Ransomware can introduce other threatening applications and alter values of the infected machine's Registry.

However, there is good news; security researchers could break the JSWorm 2.0 Ransomware code and released a decryptor that the victims can use for free to recover their lost data.


Most Viewed