JungleSec ransomware, active since November 2018, infects victims through unsecure IPMI (Intelligence Platform Management Interface) cards and can infect Windows, Linux, and Mac systems. Once initial access is gained, the threat actor then reboots the system in single user mode to gain root access, at which point it downloaded the ccrypt encryption program and manually execute it to encrypt the victim’s files. The ransom note “ENCRYPTED.md” file includes a contact of junglesec@anonymousspeech[.]com and demands .3 bitcoin to decrypt files. The threat actor also installs a backdoor that listens on TCP port 64321 and creates a firewall rule to allow access to this port.
Of the recent victims, multiple have reported not receiving a response from the attacker and have not been able to recover their data.
Technical Details and Reporting
Bleeping Computer provides technical details on JungleSec, here.