_not_a_joke

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .not_a_joke (note the leading underscore is not part of the actual extension; the ransomware appends the literal suffix .not_a_joke).
  • Renaming Convention:
    OriginalFileName.ext.not_a_joke
    Typical example: QuarterlyFinance.xlsx.not_a_joke
    No additional prefix or Base-64 encoded strings are added to the file name itself; the only mutation is the new extension concatenated after the original one.

2. Detection & Outbreak Timeline

  • First Public Sighting: Mid-April 2024 – independently submitted samples began appearing on malware-sharing feeds on 13-Apr-2024, followed by a noticeable spike in submissions on 17-Apr-2024 UTC.
  • Wider Campaign Escalation: Between 20-Apr and 25-Apr, crowd-sourced IDSs (e.g., Emerging Threats, Snort) registered hundreds of alerts across U.S., LATAM, and India-North America manufacturing verticals.

3. Primary Attack Vectors

  1. Exploitation of CVE-2023-29300 in Adobe ColdFusion – the adversary chains an OGNL-injection flaw → remote code execution → PowerShell cradle that pulls the final .NET-based encryptor.
  2. Exposed RDP (TCP 3389) with weak or previously breached credentials – brute-force continues until a successful login; payloads are dropped via C:\ProgramData\Oracle\Java\update.ps1.
  3. Malicious search ads (“Malvertising”) for popular utilities – users searching “7-zip download” are redirected to a legit-looking SEO-poisoned site serving a signed-but-backdoored MSI.
  4. Spring4Shell (CVE-2022-22965) variants resurfacing as payload stagers – still viable in environments where Spring Boot hasn’t been updated through 2023.

No SMB-based lateral movement (no EternalBlue or MS17-010 artifacts) has been observed to date.

Remediation & Recovery Strategies:

1. Prevention

  • Immediate patching priorities:
  • Adobe ColdFusion (all currently supported versions) – apply APSB24-12 immediately.
  • Spring Boot libraries < 2.7.18, 3.0.11, 3.1.5 – upgrade to current 2.7.x / 3.x series.
  • Disable or restrict RDP via Group Policy to RD-Gateway or VPN-only endpoints; enforce Network Level Authentication and lockout policies.
  • Security settings:
  • Push a GPO that blocks unsigned PowerShell execution (Set-ExecutionPolicy AllSigned or use AppLocker).
  • Enable Windows ASR rule “Block process creations originating from PSExec and WMI commands”.
  • Application whitelisting (Windows Defender Application Control) prevents the unsigned .NET binary (“N0tAJ0k3.Injector.exe”) from executing.

2. Removal

Step-by-step cleanup of an infected Windows host:

  1. Isolate the machine: Pull network cable or disable the virtual NIC to contain spread.
  2. Boot into Safe Mode with Networking (or Windows Recovery Environment via “Shift + Restart”) to avoid the ransomware’s watchdog service.
  3. Identify persistence:
  • Registry: HKCU\Software\…\Run key containing suspicious javaw.exe -jar C:\Users\Public\l\NJ.jar
  • Scheduled Task named “AdobeUpdateTask-NJ-v2”
  1. Delete artifacts:
  • %PUBLIC%\l\* (stage2 JAR)
  • %APPDATA%\Roaming\N0tAJ0k3\ (logs & mutex)
  1. Run a reputable EDR/AV scan (Windows Defender Offline, SentinelOne, CrowdStrike) to detect residual components.
  2. Patch and re-image if integrity doubts remain—given its modular nature, a bare-metal restore is safest.

3. File Decryption & Recovery

  • Recovery Status – Partial Today:
  • Good news: Researchers from Czech Technical University & Avast broke the weak RNG (RC4-based keystream with a 32-bit seed) used in build #1 (first 10 days). A decryptor is available.
  • Limitation: Build #2 and later (samples dated 24-Apr-2024 onward) switched to Curve25519 + ChaCha20; no public decryptor exists at the time of writing.
  • Tools & Repositories:
  • Avast “nj_decrypt2024.exe” (GitHub avast/nj-decrypt) – works on victims whose files carry the old checksum marker byte 0x0A3 at offset 0xC4.
  • If a decryptor is not applicable, restore from offline/off-site backups; _not_a_joke purposely skips mapped cloud drives like OneDrive/Google Drive to embolden victims into thinking cloud copies are safe (verify they are indeed immutable).

4. Other Critical Information

  • Unusual Characteristics:
  • Built-in double-domain controller check – if it detects an IP in the 10.x or 172.16–31.x range ending in “.250” (typical for AD labs) it will auto-delete shadow copies even more aggressively via vssadmin delete shadows /all /quiet.
  • GUI pop-up rick-roll: victims are confronted with a retro-styled WinForms window featuring dancing ASCII art that scrolls the message “Rick rolled? Not a joke!” every 30 s—used for psychological pressure.
  • Wider Impact / Echoes:
  • Several managed-service providers (MSPs) faced downstream encryption of >200 SMB clients when the attacker pivoted from the MSP’s ColdFusion patching gap to stored vCenter credentials—underscoring supply-chain amplification.
  • US-CERT Alert (AA24-142A) references .not_a_joke as evidence of “low-APT” monetization, proving that commodity actors are rapidly weaponizing newer CVEs days after disclosure.

Bottom Line: Patch ColdFusion, Spring, and lock down RDP today. Victims encrypted before 24-Apr-2024 should run Avast’s decryptor; everyone else should rely solely on immutable backups.