The WinRAR ACE vulnerability has been being exploited for nearly 19 years but has never had ransomware spread through it until now. When the ransomware is executed, the infected computer’s files are encrypted and attached to the .Jnec extension. A ransom note titled, “JNEC.README.TXT” then appears which requests 0.05 Bitcoin ($200 USD) in return for the decryption key. After the files are encrypted, a Gmail address is generated, and the user must create an account with that email in order to receive the decryption key. It is believed that the ransomware is coming from the archive “vk_4221345.rar” and the attackers are tricking their victims into decompressing it to free the contents. What really appears is an uncompleted image of a female and by this time the ransomware has already begun its process. Security researchers advised users not to pay and revealed that that attackers had screwed up–even they can’t decrypt the files once the deed is done.
Analyst Notes
As previously stated, users should not pay the ransom even if they are infected since the malware author is not able to decrypt the files, leaving users down $200 dollars and no access to their files. It is also advised that users upgrade to the most recent version of WinRAR, 5.70, to avoid occurrences like this one.
