Earlier this year, researchers at Tesorion published a blog post regarding the analysis of the Judge ransomware. Researchers released a free decryptor for Judge victims which is accessible via the ‘NoMoreRansom’ initiative. This decryptor was particularly designed to help victims in retrieving their files for free since its release.
A few months later, BleepingComputer published an article regarding a new variant of the ransomware, called NoCry. This variant was discovered by an independent cybersecurity researcher named GrujaRS. After analyzing the Judge ransomware, researchers at Tesorion discovered the alias: NoCry in the binary.
NoCry Ransomware is a family of ransomware infections that are typically utilized by less skilled developers and many utilize themes based on movies, pop culture, or pretend to be law enforcement. This family of ransomware infections is created using an open-source project that was posted to GitHub.
Luckily, the decryptor for Judge also decrypts files encrypted by the NoCry/Stupid ransomware. The NoCry ransomware analyzed by security researchers was identical to Judge ransomware, the one researcher previously analyzed. NoCry ransomware develops a mutex to prevent multiple instances from running in parallel, provides sandbox detection, and deletes system restore points. When those tasks are completed, the ransomware starts encrypting the victim’s files. The file encryption process is the same, and therefore, our decryptor can also be used for NoCry.
Some minor differences
After analyzing minutely, researchers at Tesorion spotted some interesting differences between NoCry and the Judge ransomware. For example, the mutex of NoCry ransomware was slightly different: “rGoB8VnbP6W42hW5”. Furthermore, the screen displayed to the user after file encryption was completely different.
The other differe ..
Support the originator by clicking the read the rest link below.
