March 8, 2016 By David Strom 2 min read

Security researchers have uncovered a new twist on ransomware-as-a-service with the discovery of what is being called Ransom32. While there have been several Web-based ransomware variants, including TOX and FAKBEN, this is a somewhat different development since it uses a popular JavaScript framework called NW.js. Computerworld first wrote the story in early January.

JavaScript Has a Dark Side

Using JavaScript (JS) framework is a dark turn of events but not completely unexpected. Normally, JS programs run in tight sandboxes in your browser and can’t touch the underlying operating system because you don’t want some ill-behaved JS routine to crash your system. But programmers have built numerous frameworks to try to give more control and interactivity to Web-based routines, and one of the up-and-coming frameworks is NW.js.

When using this framework, you have almost as much access to the underlying system resources as a regular C++ program. The routines can look very similar to normal Windows or Mac software. But this also means that malicious actors who write NW.js routines can also have free rein on a system, and that’s where Ransom32 comes into the picture.

The ransomware mandates that victims have four days to pay, and after a week, their entire hard drive is destroyed. You can see a more detailed explanation of the threat, along with screenshots, on the Emsisoft blog.

The issue is that NW.js is a legitimate framework, which makes it even harder for Ransom32 to be added to signature-based malware detection solutions. Malware fighters report that many of them didn’t have great detection coverage for the first few weeks after the software was discovered.

Ransomware Continues to Grow

Ransomware attacks and related advanced threats have grown in number and sophistication in the past year. The earlier ransomware variants took a 10 to 30 percent cut of the proceeds if they were used by criminals, while Ransom32 takes 25 percent, according to Computerworld. After you sign up for the service and give the authors your bitcoin information, you connect to a control panel where you can find out how many people have already paid the ransom or which systems were infected.

You can set up how much the ransom is and how many fake messages are sent to the infected users. The software can be easily assembled with just a few mouse clicks; there’s no real programming experience required. Of course, who knows if the information displayed in this control panel is even accurate.

So far, Ransom32 has only been observed infecting Windows PCs. But still, given this feature, don’t expect it to stay limited to Windows for very long. It wouldn’t take much for cybercriminals to generate packages for Linux or Macs and expand their target base.

Backups are critical for protection against any malware, but especially ransomware that could destroy your entire hard drive. So this means actually testing restores regularly to ensure that your backup routines are actually working. You should increase your efforts in phishing awareness training so that users avoid downloading and installing this nasty bit of code inadvertently.

We know that everything-as-a-service is happening, especially with regard to malware construction kits. But with the popularity and profit behind ransomware, it is sad to see this latest step in its evolution.

Download the complete Ransomware Response Guide from IBM Security

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today