Ransom32: First-of-its-kind JavaScript-based ransomware spotted in the wild

Ransomware Ransom32 uses NW.js
Credit: Emsisoft

A new JavaScript-based ransomware spotted in the wild uses the NW.js framework to infect victims; it's likely cross-OS compatible, meaning Windows, Linux and Mac users could be infected; Ransom32 is being sold on the dark web as ransomware-as-a-service in exchange for a 25% cut of the ransom profits.

Oh goody, there’s a new type of ransomware that is based on JavaScript but more powerful as it uses NW.js to infect users; it’s considered to be a cross-OS ransomware and it’s being sold as ransomware-as-a-service. Happy flipping 2016!

Ransom32, a first-of-its-kind ransomware, was first reported by one of its victims on Bleeping Computer. So far the only Ransom32 variants spotted in the wild have targeted Windows machines, but it uses the NW.js framework that allows an application to be written once yet be “instantly usable on Windows, Linux and MacOS X.” Emsisoft’s security expert Fabian Wosar explained that by using NW.js, “Ransom32 could easily be packaged for both Linux and Mac OS X,” even though he has only seen it in a Windows executable (exe) format.

Although JavaScript can only accomplish so much in the browser, Wosar wrote, “NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything ‘normal’ programming languages like C++ or Delphi can do.”

Ransom32 is being sold as a service, but ransomware-as-a-service is not new; for example the Tox ransomware developer wanted 30% of the ransom payment and the FAKBEN Team requested a 10% cut of the profit. Ransom32 falls somewhere in-between, with the crypto malware authors wanting a 25% cut for customized versions of its currently undecryptable ransomware.

Like other crypto-malware campaigns, wannabe bad guys sign up on a hidden server on the Tor network and can get their own customized Ransom32 ransomware after inputting the Bitcoin address where the ransom is to be delivered. Right now the infection comes via spam emails that trick victims into installing the first-of-its-kind ransomware.

Regarding Ransom32, Wosar explained the web interface seen by cyber-thugs.

After you type in your Bitcoin address, you will get access to the rudimentary administration panel. In the admin panel, you can get various statistics, like for example how many people already paid or how many systems were infected. You can also configure your “client”, which is their term for the actual malware. It is possible to change the amount of Bitcoins the malware will ask for, as well as configure parameters like fake message boxes the malware is supposed to show during install. 

Ransom32 web interface Emsisoft

While some ransomware is only 1 MB or less – and that’s a selling point, Ransom32 has a huge 32 MB file size; that might lead some people to “dismiss it as some kind of amateurish attempt at ransomware because of the file size, but it really isn't,” Wosar told Softpedia. In fact, Wosar compared Ransom32 to the “original CryptoLocker, which almost operated identical from a cryptography point of view. If there ever was like a successor of CryptoLocker from a cryptography point of view, this would be it.”

The ransomware utilizing NW.js and the big file size aren’t the only odd things about Ransom32, since the malware authors chose to kick off the campaign over the holidays when not as many people were at their computers as there normally would be. That also helped Ransom32 to stay under the radar as its signature didn’t get added to AV detection; due to NW.js being a legitimate framework, it makes it even harder to be added to signature-based malware detection solutions. Wosar said signature coverage was still “incredibly bad” even two weeks after the malware was first created.

Ransom32 is delivered to victims as a compressed RAR file which self-extracts and creates “a shortcut in the user’s Startup folder named ‘ChromeService’ that will make sure the malware is being executed on every boot,” Wosar explained. It encrypts a victim’s files, photos, documents and other data so that when the machine is started, a victim sees the ransom note demanding payment in Bitcoins.

ransom32 Emsisoft

The “encrypted AES key is being stored together with the AES encrypted data inside the now encrypted file,” Wosar wrote. Victims are given four days to cough up payment before the ransom amount jacks up even higher. “The malware offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption.” If the ransom isn’t paid after seven days, the AES key is destroyed and all the encrypted data can no longer be recovered.

If you haven’t backed up your data lately, then it’s a good habit to develop and something important enough that it should be included in your New Year’s resolutions. Wosar advised users to protect themselves from all ransomware by having a “solid and proven backup strategy.”

A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies