Security Researchers at Tesorion Reveals the Differenece Between NoCry and Judge Ransomware


Earlier this year, researchers at Tesorion published a blog post regarding the analysis of the Judge ransomware. Researchers released a free decryptor for Judge victims which is accessible via the ‘NoMoreRansom’ initiative. This decryptor was particularly designed to help victims in retrieving their files for free since its release. 

A few months later, BleepingComputer published an article regarding a new variant of the ransomware, called NoCry. This variant was discovered by an independent cybersecurity researcher named GrujaRS. After analyzing the Judge ransomware, researchers at Tesorion discovered the alias: NoCry in the binary. 

NoCry Ransomware is a family of ransomware infections that are typically utilized by less skilled developers and many utilize themes based on movies, pop culture, or pretend to be law enforcement. This family of ransomware infections is created using an open-source project that was posted to GitHub. 

Luckily, the decryptor for Judge also decrypts files encrypted by the NoCry/Stupid ransomware. The NoCry ransomware analyzed by security researchers was identical to Judge ransomware, the one researcher previously analyzed. NoCry ransomware develops a mutex to prevent multiple instances from running in parallel, provides sandbox detection, and deletes system restore points. When those tasks are completed, the ransomware starts encrypting the victim’s files. The file encryption process is the same, and therefore, our decryptor can also be used for NoCry.

Some minor differences

After analyzing minutely, researchers at Tesorion spotted some interesting differences between NoCry and the Judge ransomware. For example, the mutex of NoCry ransomware was slightly different: “rGoB8VnbP6W42hW5”. Furthermore, the screen displayed to the user after file encryption was completely different.

The other difference was the countdown, NoCry’s countdown was a little bit different from the one presented by Judge ransomware. The only way for a victim to retrieve its files is via the intended route. Therefore, once the timeline is over, the victim can no longer perform decryption. The only way to decrypt the files is to use the decryptor released by Tesorion researchers. 

The file encryption process did not change, so the decryptor only requires some minor adjustments. Therefore, our current decryptor also decrypts (non-corrupted) files affected by this NoCry/Stupid variant. The decryptor remains free of charge and will be available via the NoMoreRansom initiative soon.