Jump to content


Photo

Ransom32: The First Javascript Ransomware

Emsisoft Blog Ransom32 JavaScript Ransomware

  • Please log in to reply
2 replies to this topic

#1 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,812 posts
  • LocationOil City, Pa. U.S.A.

Posted 16 January 2016 - 03:39 AM

Malware authors have created a new form of ransomware called Ransom32. This malware uses a JavaScript vulnerability as an attack vector, which makes the malware very easily deployed. By using this JavaScript vulnerability with most web browsers it can infect virtually all OS platforms. Currently all versions of Windows, Linux and Mac machines are vulnerable to this insidious ransomware. Yikes!

 

More info can be found at this recent Emsisoft blog: http://blog.emsisoft...gn=ticker160111

 

Regards, Ritchie...
 


* Immunet Global Forum Moderator *


#2 ritchie58

ritchie58

    Staff Member

  • Moderators
  • 1,812 posts
  • LocationOil City, Pa. U.S.A.

Posted 16 January 2016 - 08:00 AM

Here is some more news concerning this new, emerging threat from eSecurity Planet by Jeff Goldman.

 

 

Researchers at Emsisoft recently came across new ransomware called Ransom32, which was first reported by an infected user in BleepingComputer's forums.

According to BleepingComputer owner Lawrence Abrams, the malware is offered to cybercriminals as Ransomware as a Service (RaaS), for which the developers take a 25 percent cut of all ransom payments.


The ransomware is delivered as a 22 MB WinRAR self-extracting archive containing a packaged NW.js application.

"What makes this ransomware unique is that it is the first ransomware programmed entirely in JavaScript, HTML, and CSS," Abrams wrote. "This ransomware uses the NW.js platform that allows developers to create native applications for Linux, Mac, and Windows using HTML5, CSS3, JavaScript, and WebGL."

 

"[W]hile JavaScript is usually tightly sandboxed in your browser and can’t really touch the system it runs upon, NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything 'normal' programming languages like C++ or Delphi can do," Emsisoft's Fabian Wosar explained in a blog post.
 

"For normal desktop application developers it has the benefit that NW.js is able to run the same JavaScript on different platforms," Wosar added. "So a NW.js application only needs to be written once and is instantly usable on Windows, Linux and Mac OS X."
 

So while Ransom32 currently appears to be Windows-only, Wosar noted, it could easily be packaged for Mac OS X and Linux as well.

In addition, because NW.js is a legitimate framework and application, it's extremely difficult for anti-virus software to detect the malware -- at this point, VirusTotal reports that only three of 54 leading anti-virus solutions detect Ransom32 as malicious.
 

Once the malware is executed on a system, it starts a bundled Tor client to connect to a command and control server, then begins encrypting and user's files and displays a ransom note demanding payment via Bitcoin within six days, or all encrypted data will be destroyed.
 

"Whatever feature or capability makes a language or platform great for developers will also be leveraged by cyber criminals," Tripwire director of IT and risk strategy Tim Erlin told eSecurity Planet by email. "The self-contained runtime environment and cross-platform nature of NW.js allows a developer to ship code that’s easy to get running on as many systems as possible, and that’s just the kind of feature a malware author needs."

 

"As is the case with most malware, we tend to focus on the interesting technical discussion of the code itself, rather than the much more practical infection vectors," Erlin added. "No one wants to read another article about phishing, yet it continues to be a primary method for malware to find its intended target."


* Immunet Global Forum Moderator *


#3 Bobn

Bobn

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 10 April 2016 - 05:37 AM

Thanks for the information but it raises some questions - if the exploit is delivered via a self-extracting zip file, would not that mean:

 

1 - you'd have to first download the file?

 

2 - you'd then have to "execute it?" - the self extracting files my version of WinZip creates are exe files

 

3 - would you not then have to take some steps to execute the .js applications.

 

These are thing that a savvy use would not do - correct?

 

If I download executable software, it is from the author's site or a verified download site. Then I scan it with up-to-date copies of AVG and MalwareBytes - I'm thinking of adding another scanner or two to my arsenal. And, if I have any doubts, I'll send it through some of the online multiple scanner sites.

 

Can site download and execute a file without my knowledge or without me having to actually start, or approve, the download?

 

Yes, I know that the vast majority of computer users lack the necessary training (or are they trainable?) to venture forth onto the WWW but I can only teach those I can contact and I try to do so with those I can contact - clients and friends and even strangers.

 

Local news in St. Louis reported, a couple of weeks ago, about a school secretary who came in one morning and found randsom-ware on her computer. They interviewed an "expert" who basically said "Don't open attachments to emails from people you don't know."

 

Yes, he seems to be a tad less than "expert" about it given that online email accounts get hacked all the time and scammers then use them to send messages to all receipients in the account's address book hoping somone will fall for their scam thinking it is from someone they know. 

 

You know - "This is Stan. I'm in Mexico and all my money and my passport were stolen and ....." 

 

I'm trying to contact that "expert" but have not found him yet.

 

The "news" piece was useless. At the end, they have a short clip, maybe 8 seconds long, where the secretary says "Well, it said invoice, so I clicked on it."

 

And that clip seemed to be added in to fill time because they did not address her comment - as I recall, the next thing you heard was "This is so-and-so reporting from...."

 

Bob






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users