Ransom32

This post is going to examine Ransom32, the first ransomware that is powered by JavaScript.

JavaScript has been used for many years to attack by exploiting weaknesses in both Internet Protocol and Internet browsers. But despite its wide use for these nefarious purposes, the reach of JavaScript itself was limited to the browser, because it could not be run locally on a victim's machine. However, that all changed with the advent of Node, which provides an interpreting engine to run JavaScript locally. Node is one of the leading factors in the rising popularity of JavaScript today.

Ransomware is a type of malware that in some form or another encrypts files on the victim’s computer and then asks for money before it will provide the key to decrypt the file. Ransom32 provides a time period within which the ransom must be paid; if it is not paid, the key will be deleted and the files will be irretrievable. Ransomware is easy to distribute, wreaks havoc on many systems at once, and does not require much maintenance from the distributor. According to the folks at EMSISoft, ransomware is one of the biggest rising threats to Internet security in the past year.

The meat of Ransom32 is an application that spoofs the Chrome browser and handles running encryption scripts, as well as communicating with a command server. This application is written in JavaScript and compiled into a native application using Node and the NW.js framework. NW.js allows programmers to use HTML, CSS and JavaScript to develop native desktop applications. Once compiled, the application can be run on the target system. Currently, NW.js supports Linux, Mac OS X and Windows. One code base is compiled into a native OS X or Windows or Linux application. This significantly improves time to production and is the most interesting feature of Ransom32.

Once unpacked and established, Ransom32 begins to encrypt files. Ransom32 currently targets only the Windows system, but since NW.js can compile applications that run on any system, experts believe that this malware could be easily modified to target Linux or Mac OS X in the future.

Node is a great tool and is allowing developers to create applications at record speed; whether those applications bring good or ill is up to us.

Share This