Emsisoft Warns of New ‘Ransom32’ JavaScript Ransomware

Researchers at Emsisoft recently came across new ransomware called Ransom32, which was first reported by an infected user in BleepingComputer’s forums.

According to BleepingComputer owner Lawrence Abrams, the malware is offered to cybercriminals as Ransomware as a Service (RaaS), for which the developers take a 25 percent cut of all ransom payments.

The ransomware is delivered as a 22 MB WinRAR self-extracting archive containing a packaged NW.js application.

“What makes this ransomware unique is that it is the first ransomware programmed entirely in JavaScript, HTML, and CSS,” Abrams wrote. “This ransomware uses the NW.js platform that allows developers to create native applications for Linux, Mac, and Windows using HTML5, CSS3, JavaScript, and WebGL.”

“[W]hile JavaScript is usually tightly sandboxed in your browser and can’t really touch the system it runs upon, NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything ‘normal’ programming languages like C++ or Delphi can do,” Emsisoft’s Fabian Wosar explained in a blog post.

“For normal desktop application developers it has the benefit that NW.js is able to run the same JavaScript on different platforms,” Wosar added. “So a NW.js application only needs to be written once and is instantly usable on Windows, Linux and Mac OS X.”

So while Ransom32 currently appears to be Windows-only, Wosar noted, it could easily be packaged for Mac OS X and Linux as well.

In addition, because NW.js is a legitimate framework and application, it’s extremely difficult for anti-virus software to detect the malware — at this point, VirusTotal reports that only three of 54 leading anti-virus solutions detect Ransom32 as malicious.

Once the malware is executed on a system, it starts a bundled Tor client to connect to a command and control server, then begins encrypting and user’s files and displays a ransom note demanding payment via Bitcoin within six days, or all encrypted data will be destroyed.

“Whatever feature or capability makes a language or platform great for developers will also be leveraged by cyber criminals,” Tripwire director of IT and risk strategy Tim Erlin told eSecurity Planet by email. “The self-contained runtime environment and cross-platform nature of NW.js allows a developer to ship code that’s easy to get running on as many systems as possible, and that’s just the kind of feature a malware author needs.”

“As is the case with most malware, we tend to focus on the interesting technical discussion of the code itself, rather than the much more practical infection vectors,” Erlin added. “No one wants to read another article about phishing, yet it continues to be a primary method for malware to find its intended target.”

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles