CATEGORY: EMERGING THREAT
Insecure IPMI (Intelligent Platform Management Interface) cards are being used to deploy a ransomware called JungleSec. Having accessed the servers, attackers can reboot the computer into single user mode to gain root access, so that they can download and compile the ccrypt encryption program.
Researchers at bleeping computer explained that attackers leveraged several loopholes in targeted servers’ IPMI interface to install JungleSec. In one case, the victim had not changed the default password of IPMI interface, whereas the other case involved exploitation of vulnerabilities in the IPMI interface despite disabling the Admin user.
The ccrypt encryption program is downloaded to encrypt a victim’s ﬁles. Once it has encrypted ﬁles, it leaves a ransom note as ENCRYPTED.md and demands 0.3 bitcoins as ransom, with below content.
What happen to my data ?
Your data are encrypted. If you try to bruteforce, change the path, the name or do anything that can alterate a single byte of a ﬁle(s) will result to a fail of the recovery process, meaning your ﬁle(s) will be loss for good.
How can I retrieve them ?
To known the process, you must ﬁrst send 0.3 bitcoin to the following address : [bitcoin_address]
– Once the payment made, send your email address to email@example.com, do not forget to mention the IP of server/computer
Will you send the process recovery once payment is made ?
We have no interest to not send you the recovery process if payment was made. – Once the payment is made, you should receive the recovery process to decrypt your data in less 24 hours
The attackers also left behind a backdoor to listen on TCP port 64321. Furthermore, they searched for and mounted virtual machine disks, but could not encrypt them and only succeeded at encrypting a useless home directory and a kvm machine.
It was also reported that many victims have paid ransom and still haven’t received a response to decrypt their ﬁles, which further asserts why ransom payments should not be made.
Linux, Mac, Windows
INDICATORS OF COMPROMISE