March 8, 2016 By David Strom 2 min read

Security researchers have uncovered a new twist on ransomware-as-a-service with the discovery of what is being called Ransom32. While there have been several Web-based ransomware variants, including TOX and FAKBEN, this is a somewhat different development since it uses a popular JavaScript framework called NW.js. Computerworld first wrote the story in early January.

JavaScript Has a Dark Side

Using JavaScript (JS) framework is a dark turn of events but not completely unexpected. Normally, JS programs run in tight sandboxes in your browser and can’t touch the underlying operating system because you don’t want some ill-behaved JS routine to crash your system. But programmers have built numerous frameworks to try to give more control and interactivity to Web-based routines, and one of the up-and-coming frameworks is NW.js.

When using this framework, you have almost as much access to the underlying system resources as a regular C++ program. The routines can look very similar to normal Windows or Mac software. But this also means that malicious actors who write NW.js routines can also have free rein on a system, and that’s where Ransom32 comes into the picture.

The ransomware mandates that victims have four days to pay, and after a week, their entire hard drive is destroyed. You can see a more detailed explanation of the threat, along with screenshots, on the Emsisoft blog.

The issue is that NW.js is a legitimate framework, which makes it even harder for Ransom32 to be added to signature-based malware detection solutions. Malware fighters report that many of them didn’t have great detection coverage for the first few weeks after the software was discovered.

Ransomware Continues to Grow

Ransomware attacks and related advanced threats have grown in number and sophistication in the past year. The earlier ransomware variants took a 10 to 30 percent cut of the proceeds if they were used by criminals, while Ransom32 takes 25 percent, according to Computerworld. After you sign up for the service and give the authors your bitcoin information, you connect to a control panel where you can find out how many people have already paid the ransom or which systems were infected.

You can set up how much the ransom is and how many fake messages are sent to the infected users. The software can be easily assembled with just a few mouse clicks; there’s no real programming experience required. Of course, who knows if the information displayed in this control panel is even accurate.

So far, Ransom32 has only been observed infecting Windows PCs. But still, given this feature, don’t expect it to stay limited to Windows for very long. It wouldn’t take much for cybercriminals to generate packages for Linux or Macs and expand their target base.

Backups are critical for protection against any malware, but especially ransomware that could destroy your entire hard drive. So this means actually testing restores regularly to ensure that your backup routines are actually working. You should increase your efforts in phishing awareness training so that users avoid downloading and installing this nasty bit of code inadvertently.

We know that everything-as-a-service is happening, especially with regard to malware construction kits. But with the popularity and profit behind ransomware, it is sad to see this latest step in its evolution.

Download the complete Ransomware Response Guide from IBM Security

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today