Mutating Ramsomware

Researchers at Forcepoint Security Labs are helping businesses fight back against a known malware actor with persistent monitoring and effective mitigation for the JavaScript-based ransomware, “NELocker”. Carl Leonard, Principal Security Analyst at Forcepoint commented below.

Carl Leonard, Principal Security Analyst at Forcepoint:

 “A new JavaScript-based Nemucod ransomware, created by a known malicious actor, using legitimate command line utilities like 7Zip and PHP has refined its swift and stealthy approach to encrypting machines. This ransomware, dubbed NELocker by Forcepoint due to its Nemucod roots and its boilerplate style, can perform file encryption using any (“NE”) utility indiscriminately, benign or otherwise. NELocker has evolved from a generic Nemucod (malicious JavaScript downloader) that utilises malware from the Kovter and Miuref families, to include other components like PGDownloader, 7Zip and PHP command line utilities too.

The pace of this transformation highlights the ease and effectiveness of creating ransomware based on existing legitimate software which also has the added complication of being more difficult to detect. With the complexity of opportunistic ransomware attacks increasing, it’s never been more important for IT teams to not only protect their users with effective comprehensive filtering and decryption tools but to also educate users on the importance of remaining vigilant when opening e-mails, especially attachments and links that are contained within them.”