Ransom32: The First Javascript-Based, Ransomware-as-a-Service Hits All Operating Systems


Security researchers have discovered a first of its kind ransomware that uses the JavaScript engine to infect users. The ransomware implements the NW.js platform to interact directly with the computer’s operating system. What makes this particular malware problematic is the fact that it uses JavaScript as a mode of delivery. Currently, the malware is being offered in the affiliate market to whomever wishes to use it.

Ransom32 is a ransomware developed using JavaScript’s NW.js framework to encrypt a user’s files. NW.js, a cross-platform runtime environment used to develop server-side web applications. The framework allows the developer to make calls to modules based of Node.js, which gives the applications more control of the operating system. However, what makes this ransomware stand out among others is the fact that this is the first ransomware based of JavaScript. Since NW.js is a cross-platform environment, it means that the same code can be used to target other operating systems such as Linux and OS X.

So far infections have only been detected on Windows systems. The malware was first reported by users in BleepingComputer’s forum and analyzed by security researchers xXToffeeXx and Fabian Woser from Emsisoft. They discovered the malware has been made available through the Tor network as “Malware-as-a-service” where anyone can pay to use the ransomware. The would-be attackers just need to set up an address where to have the ransomed Bitcoin routed. Then, the affiliate is sent to an interface of the software that allows them to customize various parameters in the malware such as the message to display, ransom amount, and time frame for the payment.

Interface used to configure Ransom32's parameters. Source: blog.emsisoft.com

Interface used to configure Ransom32’s parameters. Source: blog.emsisoft.com

Ransom32 is distributed through spam emails containing a RAR file. Once executed, Ransom32 will unpack on the temporary files folder, and copy itself to the “%AppData%\Chrome Browser” directory. Then, the malware will create a shortcut in the startup folder to ensure it is executed on every boot. The malware will then make a connection to the Command and Control (C&C) server through Tor. Once the connection is established, the malware will display its ransom note and begin encrypting files with different file extensions. For a more detailed list of the files and directories affected, visit Mr. Wosar’s article on Ransom32.

Ransom note displayed once the malware is extracted and executed. Source: blog.emsisoft.com

Ransom note displayed once the malware is extracted and executed. Source: blog.emsisoft.com

According to Mr. Wosar, this ransomware was not the work of a novice. Despite its uncommon size of 32 MB, Ransom32 is very secure AND similar to the infamous CrypytoLocker. He explains in an interview with Softpedia that since NW.js packages with the runtime into a single executable file. That way the malware doesn’t need to rely on the system to have a certain framework installed. As of now, Ransom32 is still undecryptable.

Mr. Woser suggests there should be a secure data back-up in place in order to protect your system from ransomware. Also, make sure that the backup is stored outside of your computer. Be sure to setup the backups to save new information regularly. Not only will this protect the system from ransomware, but it is a good practice to protect your files from physical damage to your system or accidental deletion.

Leave a Reply

Your email address will not be published. Required fields are marked *