Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New JNEC.a Ransomware delivered through WinRAR exploit

A new strain of ransomware tracked as JNEC.a is spreading through an exploit that triggers the recently discovered vulnerability in WinRAR. The ransomware was involved in the attacks observed by the Qihoo 360 Threat Intelligence Center in the wild, threat actors used an archive named “vk_4221345.rar” that delivers JNEC.a when its contents are extracted with […]

JNEC.a _ransom-note

A new strain of ransomware tracked as JNEC.a is spreading through an exploit that triggers the recently discovered vulnerability in WinRAR.

The ransomware was involved in the attacks observed by the Qihoo 360 Threat Intelligence Center in the wild, threat actors used an archive named “vk_4221345.rar” that delivers JNEC.a when its contents are extracted with a vulnerable version of WinRAR.

The vulnerability, tracked as CVE-2018-20250, was discovered by experts at Check Point in February, it could allow an attacker to gain control of the target system.

Over 500 million users worldwide use the popular software and are potentially impacted by the flaw that affects all versions of released in the last 19 years.

The flaw is an “Absolute Path Traversal” issue in the library that could be exploited to execute arbitrary code by using a specially-crafted file archive.

The ransomware encrypts data on the victim’s machine and appends the .Jnec extension to the encrypted data asking a ransom 0.05 bitcoins (about $200).

Once the ransomware has encrypted the files on the victim’s computer, it will generate a Gmail address that victims need to create in order to receive the file decryption key once they will pay the ransom.

JNEC.a _ransom-note

This way to identify infected machines represents a novelty in the threat landscape, victims must register the Gmail account provided by the ransomware in order to receive the decryption keys.

The JNEC.a ransomware also drops a ransom note (JNEC.README.TXT) on the infected computer to provide instructions on how to make the payment.

JNEC.a is written in .NET, when the archive is decompressed it shows a corrupted image of a girl that triggers an error and shows an incomplete picture, meanwhile the ransomware is already delivered to the computer.

The attackers renamed the malware dropped in the Startup folder as ‘GoogleUpdate.exe’ in the attempt to deceive the victims.

A few days ago, McAfee reported that attackers are continuing in exploiting the WinRAR flaw in the wild, they identified more than “100 unique exploits and counting” in the first week since the vulnerability was publicly disclosed.

The JNEC.a ransomware still has a low detection rate, it was identified as malicious by 31/71 antivirus of the VirusTotal services.

At the moment of writing, 29 antivirus engines detect JNEC.a as threat, according to the popular malware researcher Michael Gillespie a bug in its code makes it impossible to decrypt files even for the developer.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – JNEC.a ransomware, hacking )

[adrotate banner=”5″]

[adrotate banner=”13″]