|Programming Language||C#, C++|
|File Type||Win32 PE executable (.EXE)|
|Damage costs||$2 billion|
JSWorm is a ransomware that stemmed from GusCrypter malware family, which has a goal to extort money from its victims by encrypting all personal files and demanding ransom to be paid for the decryption tool. It is part of the GusCrypter family.
JSWorm is usually spread through spam email attachments.
Additionally, the malware also drops a ransom note JSWORM-DECRYPT.html which explains that victims need to contact criminals via NIGER1253@COCK.LI email address if they want to recover their data. Since JSWorm belongs to a notorious ransomware category, it is known that encryption might be permanent. During the encryption process, ransomware changes the original code of the user's files and data that can be affected include:
- audio files;
Although JSWorm ransomware cannot encrypt system files, it makes additional alterations on your system. Windows Registry values may get altered, so ransomware is launched every time the user restarts the PC. However, these changes are made after the encryption and ransom demand.
JSWorm ransomware displays a ransom note in an HTML window that reads the following:
ALL YOUR FILES LOCKED! YOUR PID %HWID% YOUR PERSONAL EMAIL: NIGER1253@COCK.LI WHAT NOW? Email us Write your ID at title of mail and country at body of mail and wait answer. You have to pay some bitcoins to unlock your files! DON'T TRY DECRYPT YOUR FILES! If you try to unlock your files, you may lose access to them! REMEMBER! No one can guarantee you a 100% unlock except us! How to buy bitcoin
In a few months of being quiet, threat actors released JSWorm 2.0 ransomware in April 2019, which worked identical to its predecessor. In May, crooks struck again with the second version, and the appended extension was changed to [ID-XXXXXXXXX][email@example.com].JSWORM. Additionally, the ransom note was now in the text format and was named JSWORM-DECRYPT.txt.
Since the release of Emsisoft's decrypter in May, hackers altered the code with the release of JSWorm 3.0. The ransomware ask for money in Bitcoin, although the price is unknown.
JSWorm 3.1 was released around the same time as JSWorm 3.0 It is almost the same as the previous version except the ransom note has a image of a cartoon worm.
When executed, JSWORM 4.0.1 immediately searches the computer for target files and encrypts them with a highly complex algorithm. Infected files are simply recognizable by an appended JSWORM extension. As an example of infected files, word.docwill turn into word.doc.[ID-000000][RansomwareRecoveryExperts@tutanota.com]JSWORM after the encryption process. All files with these altered extension are intentionally made temporary inaccessible by attackers so that they can persuade victims to pay the ransom demand should they wish to regain access.