Sunday, May 18, 2025
HomeComputer SecurityHackers Spreading JCry Ransomware that Infecting Windows users via Compromised Websites

Hackers Spreading JCry Ransomware that Infecting Windows users via Compromised Websites

Published on

SIEM as a Service

Follow Us on Google News

Cyber criminals spreading new ransomware called Jcry which is written in Go language via #OpJerusalem2019 campaign that attack Windows users to encrypt the file and demand the ransom.

#OpJerusalem2019 is recently launched a cyber attack against the Israeli Government and the private websites including Coca-Cola, ToysRUs, McDonald ’s.

In result, An anonymous hacker group compromised hundreds of websites and destroyed nearly 1 million Israeli based webpages that belong to some of the leading brands.

- Advertisement - Google News

Attackers goal was “erasing Israel from the Internet” in protest against the Israeli government’s conduct in the Israel-Palestine conflict.

There are various attack vectors used by cybercriminals including website defacements, denial-of-service distributed attacks (DDoS), especially vulnerabilities in the 3rd party plug-ins.

This #OpJerusalem cyber attack mainly target the windows users and dropping the JCry ransomware which is distributed via defaced websites by this campaign.

A vulnerability that existing the third party accessibility plugin-in called nagich.co.il loaded malicious JavaScript code that defaced the sites and let attackers took advantage to exploit and compromise the millions of web pages.

JCry Ransomware Distribution

Once the targeted websites will be compromised then the cybercriminals placed the malicious javascript that executes and trigger the malicious Adobe update message.

Adobe update trick and force users to click “update” by displaying ”
Your version of Adobe Flash Player is outdated – Update“.

Once the unknowingly click the link then suddenly IT drops the
malicious file ” “flashplayer_install.exe” ” from hxxp://185.163.47.134.

This first .exe is a dropper Winrar SFX which contains 3 archives, Enc.exe , one of the archives responsible to encrypted all the target files from user’s devices.

According to Pedro Tavares from seguranca-informatica said to
GBHackers On Security” via Email “I analyzed this malware and noticed that it does not use sophisticated techniques. Criminals used UPX packer to protect malware code written in Go and a RSA public certificate is hardcoded inside malware to encrypt all user’s target files. This finding results in a simple “key” to encrypt all the infected victims. This means that a unique RSA private key can be used to decrypt all the files as well.”

After successful encryption process against all the file on the infected system then the new file extension is appended (.jcry).

Finally, the ransomware note will be created and displayed with the note
named JCRY_Note.html where attacker demand the $500 ransom payment via bitcoin.

In order to make a payment to receive the decryption key, attackers provide the recovery link which is pointed to the Tor that contains a field that receives the address of the wallet and the unique key generated.

By getting this private key, files of each infected users can be recovered – since the key to decrypt the files is also unique. Researcher said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity News updates.

Indicators of Compromise (IOCs)

Hashes

c86c75804435efc380d7fc436e344898 (flashplayer_install.exe)
775b0c7b3741221e6abef787b1595431 (Enc.exe)
c86e3bbe43d5c0ddf2eb9a2e1c555230 (Dec.exe)


Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Cybercriminal Andrei Tarasov Escapes US Extradition, Returns to Russia

Andrei Vladimirovich Tarasov, a 33-year-old Russian cybercrime figure known online as "Aels," has returned...

Researchers Replicate Advanced Tactics and Tools of VanHelsing Ransomware

Cybersecurity researchers at AttackIQ have meticulously emulated the intricate tactics, techniques, and procedures (TTPs)...