Security researchers have just found a brand-new encrypting Trojan called JackSparrow Ransomware. JackSparrow comes from the Ouroboros Ransomware family and encrypts users' files and changes their names. After encrypting the data, it demands victims to make a ransom payment.
JackSparrow resembles the nasty Trojan Harma Ransomware; it has all the chances to become one of the most widespread malware threats designed to encrypt data and use it for extortion.
How Does JackSparrow Ransomware Infect Computers?
There are various methods of malware distribution. Just like other ransomware threats, JackSparrow is usually spread via spam campaigns, untrustworthy sources for software download, fake software updaters, software 'cracking' tools, and trojans.
- Untrusted sources for download - hackers distribute ransomware by hosting malicious files in various questionable sources for download, such as Peer-to-Peer networks, unofficial websites, free file hosting, freeware websites, third party downloaders, etc.). The malicious files are disguised as legitimate and infect systems with malware when executed.
- Fake software updaters – fake software updaters infect systems either by exploiting flaws of outdated programs installed on a targeted machine or by installing malicious software instead of legitimate updates. Untrustworthy sources for software download could be Peer-to-peer networks, freeware download, third party downloaders, free file hosting web pages, etc. Hackers use them as tools to host malicious files and disguise these files as legitimate updates. When downloaded and opened, they infect victims' computers with malicious software.
- Software' cracking' tools - some people use unofficial programs to bypass paid activation of licensed software. Unfortunately, these tools are dangerous as hackers often use them for distributing malware.
- Trojans - cybercriminals are well aware that if installed onto a system, trojans can cause severe chain infections. For that reason, hackers often use programs of this type for installing malware.
How Does JackSparrow Ransomware Work?
JackSparrow has plenty of similarities with other ransomware-type programs such as Mew767, Xbvpnvee, and Ooss. All of these programs are created to encrypt victims' files and display a ransom note demanding payment for a decryption key. The main difference between the malware threats is the size of the ransom and the cryptographic algorithm the particular ransomware uses to encrypt victims' files.
After infecting a system, JackSparrow Ransomware renames users' files and changes the extension of each file name to '.encrypted.'. What makes this ransomware stand out is that instead of adding the new extension at the end of the infected file, JackSparrow places it before the original extension. For instance, after encrypting, 'marble-tiles.jpeg' will be renamed to 'marble-tiles.encrypted.jpeg' as shown in Figure 1 below.
JackSparrow Encryption and Ransom Note
Victims' files are encrypted with the 'AES-256' encryption algorithm. The only way to release the files is a decryption key. Hackers sell the key for 100 of XMR (Monero cryptocurrency). Instructions on how to make the ransom payment can be received by contacting the creators of JackSparrow at firstname.lastname@example.org, as shown in Figure 2 below.
Figure 1: Image: JackSparrow Ransom Note
The ransom note demands payment from infected victims to the cybercriminals behind JackSparrow. Source: besttechtips.com
Usually, only the attackers who created particular ransomware can provide a decryption key that can release the compromised data. In some cases, malware victims receive tools that will NOT decrypt their files even if they pay the ransom payment. For that reason, cybercriminals should NOT be trusted, and PC users are advised to keep regular backups of their files and use reliable antivirus software.