Ransomware Takes a Scary Turn Using JavaScript

March 8, 2016
| |
2 min read

Security researchers have uncovered a new twist on ransomware-as-a-service with the discovery of what is being called Ransom32. While there have been several Web-based ransomware variants, including TOX and FAKBEN, this is a somewhat different development since it uses a popular JavaScript framework called NW.js. Computerworld first wrote the story in early January.

JavaScript Has a Dark Side

Using JavaScript (JS) framework is a dark turn of events but not completely unexpected. Normally, JS programs run in tight sandboxes in your browser and can’t touch the underlying operating system because you don’t want some ill-behaved JS routine to crash your system. But programmers have built numerous frameworks to try to give more control and interactivity to Web-based routines, and one of the up-and-coming frameworks is NW.js.

When using this framework, you have almost as much access to the underlying system resources as a regular C++ program. The routines can look very similar to normal Windows or Mac software. But this also means that malicious actors who write NW.js routines can also have free rein on a system, and that’s where Ransom32 comes into the picture.

The ransomware mandates that victims have four days to pay, and after a week, their entire hard drive is destroyed. You can see a more detailed explanation of the threat, along with screenshots, on the Emsisoft blog.

The issue is that NW.js is a legitimate framework, which makes it even harder for Ransom32 to be added to signature-based malware detection solutions. Malware fighters report that many of them didn’t have great detection coverage for the first few weeks after the software was discovered.

Ransomware Continues to Grow

Ransomware attacks and related advanced threats have grown in number and sophistication in the past year. The earlier ransomware variants took a 10 to 30 percent cut of the proceeds if they were used by criminals, while Ransom32 takes 25 percent, according to Computerworld. After you sign up for the service and give the authors your bitcoin information, you connect to a control panel where you can find out how many people have already paid the ransom or which systems were infected.

You can set up how much the ransom is and how many fake messages are sent to the infected users. The software can be easily assembled with just a few mouse clicks; there’s no real programming experience required. Of course, who knows if the information displayed in this control panel is even accurate.

So far, Ransom32 has only been observed infecting Windows PCs. But still, given this feature, don’t expect it to stay limited to Windows for very long. It wouldn’t take much for cybercriminals to generate packages for Linux or Macs and expand their target base.

Backups are critical for protection against any malware, but especially ransomware that could destroy your entire hard drive. So this means actually testing restores regularly to ensure that your backup routines are actually working. You should increase your efforts in phishing awareness training so that users avoid downloading and installing this nasty bit of code inadvertently.

We know that everything-as-a-service is happening, especially with regard to malware construction kits. But with the popularity and profit behind ransomware, it is sad to see this latest step in its evolution.

Download the complete Ransomware Response Guide from IBM Security

David Strom
Security Evangelist

David is an award-winning writer, speaker, editor, video blogger, and online communications professional who also advises numerous startup and well-establish...
read more