The ransomware landscape has drastically changed in the past few years and this change is the only thing constant. As targeted ransomware attacks continue cannonading organizations worldwide, it is essential that we look into the workings of some particular gangs to glean information about them and as a result, identify better defenses. One of those groups is the JSWorm ransomware group.
Evolutionary history
- First discovered in 2019, JSWorm ransomware gained infamy under several other names such as Nemty, Offwhite, and Nefilim, among others.
- Each rebranded strain had different codes, renamed file extensions, encryption keys, and different cryptographic schemes.
- In 2020, the developers changed the programming language to Golang from C++. it required them to completely rewrite the code.
Some statistics your way
- More than 39% of the victims targeted by the ransomware were located in Asia Pacific (Vietnam). Other victims were located in the U.S. Brazil, Argentina, Turkey, Iran, South Africa, Germany, Italy, and France.
- Around 41% of its victims operated in the engineering and manufacturing sector. It was followed by energy & utilities, professional & consumer services, and finance sectors at 10%.
- Transportation and healthcare sectors accounted for 7% of the attacks.
Extortionists
- The JSWorm ransomware family, in 2020, followed in the footsteps of other notorious ransomware families and started big-game hunting.
- The operators have their own data leak site where they publish stolen sensitive data.
- The website is still functional and, as of now, has details of more than 100 victim organizations.
- Some victims have been unfortunate enough to have their individual pages on the website from which their data can be downloaded.
The bottom line
The JSWorm family has witnessed massive evolution over the last two years, even going so far as to change its distribution models and entire redevelopments. Similar to other targeted ransomware threats, JSWorm infection can be prevented by securing organizational networks.
Source: https://cyware.com/news/its-time-we-talk-about-jsworm-ransomware-32787a6b