The latest, campaign, #OpJerusalem targeted a range of Israeli websites with the JCry ransomware. Sites affected included news site Makor Rishon and McDonalds Israel. The attacks intended to take over windows users’ devices and encrypt their files, however, the ransomware failed to deploy and instead defaced the affected webpages. The pages read:
Although the attack caused minimal damage, it, however, affected over a million pages of Nagich.
JCry Ransomware – What the hackers wanted to happen
Newly established, JCry Ransomware is a crypto-virus that takes down a website to use and deliver obscured malware through a fake Adobe webpage. If the deployment was successful, the consequences include loss of personal files for the user as well as compromised access to devices and potentially a shared network.
The ransomware extracts two files, dec.exe and enc.exe, once the malware executes in the device’s Startup folder. The enc.exe executes and proceeds in encrypting data on the device. The ransom note will form containing the users’ unique key and a bitcoin address for receiving the $500 ransom payment demanded. The hacker also provided users with a link to the TOR site to make a payment. The link itself is questionable as it does not allow the hacker to know who made the payment. This fact gives the impression that the chances of users receiving their files back decrypted are minimal.
What happened instead
Hackers used web plugin, nagich.com as the platform to lure users into clicking and installing the malware. By modifying the DNS record the websites containing this plugin loaded the malicious script embedded in its place. At the point of searching for the user-agent of the device, the ransomware should have deployed, if a windows system, and deface the page if it was not. Rather, the failure in coding caused the defacement in both instances. If it did deploy upon finding windows was running on a device, a fake Adobe page would have loaded prompting the user to click on the ‘update’ button. Plugins such as Adobe Flashplayer are often used to do this. Once the user clicks on ‘update,’ the ransomware hidden behind the executable, flashplayer_install.exe downloads.
On Saturday, the day the attacks launched, Nagich regained control over their site and stopped further attacks after a few hours.
The video below demonstrates what the Malware was supposed to do: