First Javascript-only Ransomware-as-a-Service Discovered

Ransom32 NoteCybercrime has piggybacked on the extremely successful SaaS model and several strains of Ransomware-as-a-Service (RaaS) like TOX, Fakben and Radamant have appeared in 2015.

However, a new strain called Ransom32 has a twist: it was fully developed in JavaScript, HTML and CSS which potentially allows for multi-platform infections after repackaging for Linux and MacOS X. Using JavaScript brings us one step closer to the "write-once-infect-all" threat, which is something to be aware of.

For the moment it's only a Windows executable though, and do not confuse Java and JavaScript. They use a very similar syntax but are completely different. Java is a (buggy) object oriented programming language, originally developed by Sun and now owned by Oracle when they acquired Sun. JavaScript on the other hand is an object oriented client-side scripting language that is implemented in the browser. Without JavaScript, most of the interactive features of almost every site on the web would not be possible, so you cannot just disable JavaScript because that breaks a large part of the web.


So, how did the bad guys implement this technically?  

What NW.js does is let you take node.js, standard JavaScript scripts, and chromium and bundle them into a single executable. When you run this executable, chrome executes and launches the JavaScript scripts. This allows any whitehat or blackhat developer to create and distribute native apps that run just like a normal executable. The malware package is a self-extracting RAR file of 22MB which expands to over 67MB.

Using this architecture they can encrypt client-side files without using much resources and stay under the radar to prevent detection. Ransom32 will target only specific file extensions and encrypt them using AES encryption but is using wildcards like .*sav* to maximize its "effectiveness".  A large benefit for the malware author is that NW.js is a legitimate framework and application so it is no surprise that antivirus signature coverage still very bad at the time we write this. See Virustotal.

How Does This Ransomware-as-a Service Work?

Any newbie cybercriminal can easily go to a darkweb TOR site, register with a Bitcoin address, configure and download their very own customized version of the executable. The developers take a 25% cut of all ransom payments and then forward the rest to their criminal affiliate. You can run multiple campaigns with different Bitcoin addresses. The executable can be spread with the usual infection vectors like massive spray-and-pray phishing campaigns, targeted spear-phishing, malvertising with poisoned ads on websites compromised with Exploit Kits causing drive-by-downloads of the RaaS executable, manually hacking linux servers or brute forcing terminal servers. 

What Is The Scary Part?

Larry Abrams at bleepingcomputer put it best: "No administrative rights necessary. Runs under the security context of the user. The ransomware itself isn't a big deal at all. It must be executed, just like any other executable because that is what it is, or installed via an exploit just like all other ransomware.

"The main point is that it is created in javascript. Javascript is cross-platform and so is node.js. Using NW.js, it would be trivial to take this javascript/node.js program and easily generate packages that run on Linux or Macs as well. You now have one codebase that works on all three major server and desktop environments. Then it just becomes up to the affiliate to decide how they distribute the ransomware package. With any would-be criminal able to easily signup, the sky is the limit. That is the scary part."

He summarized with this shorthand: "Uses AES encryption. Affiliate service. No way to decrypt for free at this time. Extracts to folder in %Temp% and %AppData%\Chrome Browser. Creates startup called ChromService. Uses TOR to communicate with C2."

What To Do About It

  • It is still early days, at the moment there is no known way to decrypt the files for free, but if malware researchers reverse engineer the code and find a way to get your files back, we will update this post.
  • Your best protection remains a solid and proven backup strategy, with regular off-site copies.
  • For mitigation purposes, treat this like any other ransomware. Continue blocking executables from running from standard paths (%appdata%, %temp%, etc).
  • Step your users through effective security awareness training which includes frequent simulated phishing attacks.

We want to thank our friends over at BleepingComputer, who brought this threat to our attention first. Also, for a more thorough and detailed explanation on how the Ransom32 utilizes NW.js and encrypts your data, please see this great Emsisoft article.

Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must

KnowBe4's integrated training and phishing platform allows you to send attachments with Word Docs with macros in them, so you can see which users open the attachments and then enable macros!

See it for yourself and get a live, one-on-one demo.

Request A Demo

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: 


Topics: Ransomware

Subscribe To Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews