Now Reading
JavaScript-based Ransom32 Makes Ransomware Easier Than Ever

JavaScript-based Ransom32 Makes Ransomware Easier Than Ever

by P. H. MadoreJanuary 3, 2016

Ransomware has traditionally involved advanced exploitation of desktop vulnerabilities, gaining the Windows equivalent of root, and encrypting the file system in such a way that the user can only get out of it by making a payment. Police departments, along with thousands of everyday users, have been impacted. Often in the case of police departments, phishing was involved.

Thanks to the recent advances in JavaScript’s viability as a platform, as evidenced by what seems to be daily new additions to the JavaScript framework market – Angular.js, Node.js, and so forth – a new Ransomware is on the scene which allows the operator to very quickly and easily deploy the malware. They even have a dashboard which enables them to designate the Bitcoin address to which the ransom can be sent as well as how much they will ask for. The dashboard also has statistics, telling the malevolent actor exactly how much they have made from their endeavor.

Ransom32 relies on a fork of Node.js known as NW.js. After the malware pusher has configured and downloaded an archive of the software, they are presented with some files that they then must get deployed on target systems. This can be the difficult part, especially with this particular piece of software, which clocks in at more than 20 megabytes. The victim will have to be somewhat dedicated in getting hold of it, but this can be achieved with relative ease if phony downloads of popular things are used. One idea to deploy this might be to simply make it seem to be a movie or something on a Torrent site.

Also read: U.S. Senators Seek Answers From Feds On Ransomware Attacks Against Government Agencies

Ransom32 does not affect Mac or Linux users as it relies on the easy execution of an .exe file to achieve its ends. This is not to imply that the software cannot be ported to other desktop environments. Part of its success is that it’s utilizing JavaScript, which is a web-native language that exists literally everywhere. JavaScript used to be for simply things like tracking downloads and warning users of certain things on web forms, in the early days.

But now it’s grown into a much more formidable language, in some ways comparable to more advanced languages like C++. This trend doesn’t seem to be going anywhere, so readers are advised to continually be careful about browser extensions and downloads, even if it’s just JavaScript. Most browsers have an option to not enable JavaScript and other things by default, and in these times, it wouldn’t exactly be extreme to simply enable extra things manually for each site.

For a more in-depth look at Ransom32, check out this blog post by Emisoft, which also happens to provide antivirus software for Windows that inoculates against Ransom32 among a host of other things. From there:

We consider ransomware one of the biggest threats of the past year and plan to do our best to continue our excellent track record in the next year, to keep our users as protected as possible.

The standard recommendation should also be added here: in 2016, you do not have to use Windows to get work done. It is quickly becoming the platform of gamers, not workers, and your choices are myriad.

Featured image from Shutterstock.

Advertised sites are not endorsed by us. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
What's your reaction?
Love it
Hate it
  • Christian

    Note, the threat was discovered and analyzed by Emsisoft, not Emisoft.

  • Ashley Sheridan

    Your article seems to be very confused between Javascript executed in the browser and that executed elsewhere, like within a Node server. Turning off Javascript execution in your browser will do absolutely nothing if you’ve downloaded a malicious torrent with this payload.