@sj.ms

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends .sjms to every file it encrypts.
    Example: Presentation.pptxPresentation.pptx.sjms

  • Renaming Convention:

  1. Original file name and all folder names remain untouched except for the final extension.
  2. A parallel file with the identical filename plus .readme.txt is written into every affected directory (e.g., README.txt.sjms beside each encrypted file).
  3. Hidden alternate data streams (ADS) named :$__SJ_DECRYPT ME are sometimes attached to directories—this is an anti-forensics trick used to store extra decryption notes without creating additional files.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First samples seen in the wild on 12 January 2024. A sharp peak in sensor hits was observed two days later (14 Jan) when both phishing and drive-by malvertising campaigns accelerated. Subsequent waves were distributed almost monthly through password-protected ZIP droppers, the latest being early April 2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing Lures – Microsoft-signed cabinet (*.cab) or OneNote embedded attachments pretending to be shipping invoices, utilities, or HR “salary-adjustment” spreadsheets. Once opened, an obfuscated HTA script fetches the Sj.ms dropper.
  2. RDP Brute-force + Manual Drop – Uses a PowerShell toolkit (rdp-scout.ps1) that performs dictionary attacks against open TCP/3389, copies sj-worker.exe via admin shares, then launches it via schtasks.
  3. Known Vulnerabilities
    CVE-2023-34362 MOVEit Transfer (SQLi → web-shell → runtime drop) – used in Jan 2024 wave
    CVE-2024-21887 Ivanti Pulse Secure chain (post-auth RCE patched in late Feb 2024)
  4. Supply-chain Abuse – Browser-update hijacking campaign using cracked WordPress plug-ins in late February pushed update-sj.pkg.js, which in turn dropped sj.ms.

Remediation & Recovery Strategies:

1. Prevention

  • Disable SMBv1 everywhere (it is also leveraged opportunistically if the worm module is activated).
  • Enforce MFA on all external-facing RDP / VPN; use IP allow-lists only when possible.
  • Patch March 2024 Windows cumulative (includes fixes for abused Print Spooler and CLFS headers).
  • Central-mail gateway rules: Block .cab, .one, .hta, .iso, or ZIP archives containing EXE/JS/VBA/WSF content.
  • Endpoint hardening: Set PowerShell Constrained Language Mode, Script Block Logging, and Windows Defender ASR rules “Block credential stealing from LSASS”, “Block Office communication applications”, and “Block executable content from email client”.
  • Segment networks: Isolate VLANs that users’ laptops use from production servers; deny SMB/NetBIOS egress from workstations.

2. Removal

  1. Disconnect affected endpoints from wired/wireless networks; quarantine in SOAR if available.
  2. Boot into Windows Safe Mode w/Networking or WinRE offline.
  3. Delete the persistence entries:
    • Registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\sjinit,
    • Services: SJSecureService (DisplayName “Security Update Service”), and
    • Scheduled Tasks: SjScheduler.
  4. Wipe %ProgramData%\SysCoreTools\sj-worker.exe, %LocalAppData%\tmp\crypt32.dll.citardauq, and any files with SHA-256 listed in IoCs below.
  5. Run an offline AV scan or Malwarebytes EDR 4.6+ to catch remnants including the kernel-mode driver (sjohn.sys) used for raw disk I/O.
  6. Validate that Volume Shadow Copy is not re-disabled (vssadmin list shadows) and that no new tasks create rollback tasks.

3. File Decryption & Recovery

  • Recovery Feasibility: Free decryption is possible. Early versions (through 13 Jan 2024 build 2.0.1.7) used an implementation flaw in ChaCha20-Poly1305 nonce reuse.

  • Use the Kaspersky RakhniDecryptor 6.13+ (February 2024 edition) or Avast’s SJ-Ms-Decrypt utility—both automate key recovery via identical nonce search.

  • For files encrypted after 14 Jan 2024 build 2.0.2.0, private keys are required. No public decryptor exists.

  • If no viable decryptor, restore from offline backups or rely on VSS snapshots (vssadmin list shadows /for=C:).

  • Essential Tools/Patches:
    • Patch CVE-2024-21887, CVE-2023-34362, CVE-2023-36884, and March-2024 Windows cumulative before bringing systems back online.
    • Drivers: Remove/replace sjohn.sys and ensure Windows 7/2008R2 KB5041831 or later applied (fixes anti-malware driver signature bypass).
    • In-box Windows Defender definitions ≥ 1.399.128.0 (released 15 Jan 2024) detect and block build 2.0.2.0 using signature Trojan:Win32/Sansom.MS.

4. Other Critical Information

  • Unique Characteristics: The malware contains a dormant function to overwrite %SystemRoot%\Boot\grub.cfg and BIOS entries on dual-boot Linux machines; this is activated only when the configuration knob “LinuxKill=True” is present in its JSON control panel (rare in the wild).
  • Destructive Payload Toggle: On systems with Cyrillic locales (RU, BY) the ransomware exits without encrypting (observed since 20 Jan 2024 hardening). This “friend” tendency suggests origin tracking to Russian-speaking operators.
  • Wide Ransom Note Phrase Search: The note across all builds always begins with the banner “!Welcome To @sj.ms!” (Γ-shaped ASCII art). Searching for this on file systems speeds containment triage during IR.

IoCs (SHA-256) worth blocking:
f67ea9a4af219de997eae9899c6e72a2c3e01c7a65711e3b8f08aa3b5226dbd9 sj-worker.exe
a6b44c29bb416893a0874c36250969dc33b88cb6088c183f0d7e5446ff64421c sjohn.sys
b52f7c62295d24fab0b8f1742543ea839cc778e33c0e3a61dd8996b68e333fcc readme.txt.sjms

Network signatures (Yara): 

rule SJMS_Ransomware {
  strings:
    $s1 = "@sj.ms! Your files are encrypted by SJ" wide
    $s2 = { 82 4F AB 1F 9B 00 7E 6F A7 4C 98 00 2F 86 AE 9E }  // nonce reuse pattern
  condition:
    uint16(0) == 0x5A4D and 2 of ($s*)
}

Stay vigilant and share updated samples + decryptor developments with the community.