Jsworm
Description
JSWorm is a ransomware family that first appeared in May 2019 and is notable for undergoing multiple rebrands and evolutions, later appearing under names such as Nemty, Nefilim, Offwhite, Fusion, and Milihpen. Initially, it was distributed via malicious spam emails containing JavaScript files, hence the “JS” in its name. Later versions moved to targeted intrusions, leveraging compromised RDP services and vulnerable network appliances for initial access. JSWorm encrypts files using AES-256 encryption with RSA-2048 for key protection and appends campaign-specific extensions (e.g., .JSWORM, .Nemty, .Nephilim). The group adopted a double-extortion model in its later stages, stealing data before encryption and threatening to leak it via Tor-hosted sites. Its victimology spans various sectors worldwide, including manufacturing, energy, healthcare, and professional services. The continuous rebranding suggests an effort to evade detection, disrupt attribution, and maintain pressure on victims.
| External Analysis |
| https://www.mcafee.com/blogs/other-blogs/mcafee-labs/jsworm-nemty-rebrands-to-avoid-detection/ |
| https://www.bleepingcomputer.com/news/security/jsworm-ransomware-rebrands-to-nemty-with-new-encryption-routines/ |
| https://www.trendmicro.com/en_us/research/20/g/nefilim-ransomware-shifts-to-double-extortion.html |