Skip to content ↓ | Skip to navigation ↓

What has caused a seemingly typical ransomware from turning into one of the most popular malware threats this year? I’ve uncovered the facts, so allow me to give some insight into how this ransomware became one of the most feared strains this year.

The First Johnycryptor Ransomware Major Hits

In early July 2016, various security vendors spotted the first major JohnyCryptor ransomware attacks.

Most of the infections of the ransomware, which is a variant of a popular family of malware, occur via typical distribution methods, including large-scale spam email campaigns that either linked to dangerous binaries or come with attachments bearing the ransomware payload.

Various social engineering tricks help persuade the victims to download and run the infected files. One of the most common scenarios included the impersonation of widely used services, such as shipping companies (delivering false delivery notification notes by DHL, FedEx, and other major solutions), banks (false account-related information and promotions), and other similar crafted messages.

JohnyCryptor also circulates around the web with the help of exploit kits, which are popular tools that allow the attackers to target whole networks of machines. These sophisticated and modular programs execute automated tests that find security weaknesses. By taking advantage of bad configurations, weak security policies and software bugs the hackers fire JohnyCryptor infections against the victims.

This ransomware, like other similar malware, uses a time limit of one week (depending on the variant) to pay the ransom sum of 0.5 to 1.5 Bitcoins. Because of the strong cryptography cipher that was employed by the virus, decryption was not possible for a given period of time. That made recovery and restoration of the affected files impossible if the computer users didn’t have offsite and offline backups of their data.

Even when security experts released decryption tools, file restoration still wasn’t guaranteed, as many variants of the JohnyCryptor were later updated. Every small change of the source code rendered those tools useless.

The Impact of The JohnyCryptor Ransomware Attacks

The JohnyCryptor attacks have been devastating. A security expert noted that for a period of just one month (August 2016), the attackers received the equivalent sum of 10,588 US Dollars. As the threat deletes all Shadow Volume Copies of the infected Microsoft Windows computer, the users cannot recover the affected files using recovery software.

Hackers from all across the world are embracing the popularity of the ransomware family. This has resulted in a sharp rise of distribution via alternative distribution methods. For example, we have seen an increase in spreading counterfeit software bundles through various download sites and P2P networks.

And then there’s malvertising. Victims of browser hijackers, such as PopAds (learn more about it and how to remove it), oftentimes see malicious ads that may lead to ransomware infections. The primary aim of this type of malware is to generate income from the users by presenting sponsored ads and to steal their private information by intercepting browser cookies. Most browser hijackers also have the ability to steal browsing history, stored account credentials, and other sensitive information.

All of this has turned this particular strain of ransomware from a typical malware to one of the most dangerous infections this year.

Have you taken the time to look at the monthly ransomware report for September 2016?

While JohnyCryptor is not featured in last month’s security news, the infections with this particular strain continue. This is evident from the ransomware activity statistics that we have reviewed from various anti-virus and anti-spyware vendors.

What to Do When an Infection with the JohnyCryptor Has Occurred

Do not pay the ransom fee to the hackers, as in many cases, there is no guarantee that the hackers will provide the decryption key. In some cases, the file that is sent to victims does not work and only installs additional malware onto an infected machine.

For a step-by-step process on removing JohnyCrypto, read this comprehensive removal guide.


Martin BeltovAbout the Author: Martin Beltov graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast, he enjoys writing about the latest threats and mechanisms of intrusion. He mainly contributes to the Best Security Search website.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.