Professional Video Converter, Video Editor, MXF Converter for Mac and other video tools Supplier
Home > Resource >

Ransomware tainting files with the .java extension

Ransomware tainting files with the .java extension

Online extortionists have ventured into breaking the well-established association of the term Java with the name of a popular programming language. The new variant of the ransomware oldie codenamed CrySiS, also known as Dharma, uses the .java extension to label encrypted files. This prolific lineage of data-encrypting infections continues to be regularly updated notwithstanding the general decline in ransomware propagation over the past several months. Speaking of the spinoff in question, it has already given rise to multiple sub-versions that use the same file suffix.

The .java build of the CrySiS ransomware infects Windows computers in a fairly straightforward fashion. The crooks in charge scan the Internet for machines with remote desktop protocol enabled and pull off brute-force attacks to figure out RDP access credentials. This means that the malicious program is executed on these vulnerable systems manually. This infection vector isn’t mainstream as most ransomware distributors opt for the spam or exploit kit route.

When inside a host, the .java file virus scans all detected data repositories for data stored in common formats. The locations being traversed include hard drive partitions, removable drives and network shares. When a matching object is spotted, the culprit leverages a fusion of symmetric AES and asymmetric RSA cryptosystem to scramble it beyond accessibility. It utilizes a file-tweaking routine as well, prepending the .java tail with the victim’s ID and the threat actor’s email address. Some of these email addresses reported to date include decrypthelp@qq.com, chivas@aolonline.top and black.mirror@qq.com.

The CrySiS ransomware also displays a recovery manual in HTA format that instructs the compromised user to contact the felons via email. The extortionists will get back to the victim with details on the Bitcoin wallet address and the size of the ransom. The buyout deal is a matter of paying 0.1-0.2 BTC for the Pytherion crypter software and the private key. However, it is not recommended to go the ransom route as the criminals may not stay true to the promises. The use of data backups and forensic software for file recovery is certainly a better option.