Evolution of JSWorm ransomware

[harlan4096]

Introduction

Over the past few years, the ransomware threat landscape has been gradually changing. We have been witness to a paradigm shift. From the massive outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, a lot of ransomware actors have moved to the covert but highly profitable tactic of “big-game hunting”. News of ransomware causing an outage of some global corporation’s services has now become commonplace.

In some cases, this global trend is just a reflection of the continuous life cycle of threats: old ransomware families shut down and new ones appear and pursue new targets. However, there are times when a single ransomware family has evolved from a mass-scale operation to a highly targeted threat – all in the span of two years. In this post we want to talk about one of those families, named JSWorm.

Chronology

JSWorm ransomware was discovered in 2019 and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and several others.

Several versions were released as part of each “rebranded” variant that altered different aspects of the code, renamed file extensions, cryptographic schemes and encryption keys.

In the diagram below we present some of the names used by this Trojan along with the dates the corresponding variant was actively distributed in the wild (ITW) (not the date it was first encountered). We should note that this list is not comprehensive, but it marks the main milestones in the evolution of JSWorm.

Together with name changes, the developers of this ransomware have also been reworking their code and trying different approaches to distribution.

At some point in 2020 the developers even changed the programming language from C++ to Golang, completely rewriting the code from scratch. However, the similarity in the cryptographic scheme, ransom notes and use of the same data leak website address led us to believe it’s the same campaign.

The original version of the malware, as well as some of the subsequent “rebrandings”, e.g., Nemty, were advertised on an underground forum by a poster with the username jsworm.

Distribution methods

From its creation in 2019 until the first half of 2020, JSWorm was offered as a public RaaS and was observed propagating via:

• RIG exploit kit
  
• Trik botnet
  
• Fake payment websites
  
• Spam campaigns
  

From the first half of 2020, the public RaaS was closed and the operators switched to big-game hunting. There is evidence of an initial breach via exploitation of vulnerable server-side software (Citrix ADC) and unsecure RDP access.
...

Continue Reading