Ransomware Just Got Worse By The Use of JavaScript
Bohs Hansen / 9 years ago
Ransomware is probably one of the peskiest and most annoying things that your computer can catch. Not only do you lose access to your files, you have to pay a criminal to release them again. Even if you should choose to pay, there is no guarantee what-so-ever that the criminal will release the files again or hide more malware to hit you again once you are “free”. If that wasn’t bad enough, a new version of Ransom32 has arrived that exploits JavaScript in order to infect you and worst of all, barely any anti-virus and anti-malware programs will catch it at this time.
While all this sounds bad, there are ways to protect yourself and if you use common sense while surfing the web, then you should be safe anyway. Stay away from dubious websites and don’t touch any archive or executable downloaded from anything but official manufacturer websites. But let us get back to the new malware in question, the ransomware called Ransom32.
Ransom32 is built on the NW.js-Framework which was developed to build desktop applications on a javascript base. A really cool framework by the way. That, unfortunately, means that where we usually only see Windows users that are at risk, those with Linux and MacOS are equally vulnerable to Ransom32. Thanks to the use of this framework, the ransomware is able to get past the sandbox environment that JavaScript runs in these days.
The security researcher Fabian Wosar from EmsiSoft discovered the new Ransom32 as a self-extracting RAR-Archiv. If that archive is unpacked, it will hide in your temp folder and disguise itself as the Chrome web browser and be visible as Chrome.exe. This is where advanced users already had noticed it and not used any automatic-unpack function. However, should the new chrome.exe be executed, then it will start to encrypt all your files with AES-128 bit CTR-mode and also place itself firmly in the systems autostart features.
The Ransom32 creators have also made it very easy for people to use their tool. Evil minded people can access the tool via a Tor address. When on the site, they can customize the tools features before downloading it. The creators reportedly also use the same network for their control servers and connections. To top the whole thing off, the creators take 25 percent of the accumulated ransoms for themselves, and everything stays anonymous thanks to the use of Bitcoins.
We can only hope that the virus scanners and anti-malware tools get an update soon so the less tech-minded people won’t get infected by this nasty new piece of software. You can also read a lot more details about this new piece of software on the EmsiSoft blog.