As with any technology platform or product, when market adoption starts to proliferate and widen, the potential for malware vulnerabilities to surface also increases by a commensurate degree. This trade off appears to now be evidenced as a result of the growth of the JavaScript-associated ransomware known as Ransom32.
As the ‘programming language of HTML and the web', JavaScript's success has seen it develop into what can more widely be considered to be a ‘framework' or ‘platform' with greater breadth. New additions to the JavaScript world include design extensions such as Angular.js and Node.js for development simplification and server-side programming (respectively) and so on.
But it is thanks to JavaScript's viability as a technology for the web that this new breed of ransomware has emerged. Exposed by researchers from security firm Emsisoft and education website BleepingComputer, Ransom32 stems from the development of Node-Webkit (NW.js), a JavaScript-based framework that combines Webkit (the rendering engine used in Safari, Chrome and Opera) with Node.js.
NW.js allows web-developers to write display code, such as the popup messages and forms that Ransom32 shows, in HTML, CSS and JavaScript and have it work across many different browsers, as Chris Czub, security research engineer at Duo Security, explained.
Czub told us that a quick look at VirusTotal reveals that Ransom32 is not well detected by most anti-virus products (at the time of writing it had a detection ration of seven out of 54 AV products).
Here's the hard part
According to Hacked.com, after the malware perpetrator has configured and downloaded an archive of the NW.js software, they are presented with some files that they then must get deployed on target systems.
“This can be the difficult part, especially with this particular piece of software, which clocks in at more than 20 megabytes. The victim will have to be somewhat dedicated in getting hold of it, but this can be achieved with relative ease if phony downloads of popular things are used. One idea to deploy this might be to simply make it seem to be a movie or something on a torrent site,” suggests writer and hardware hacker PH Madore.
“Anti-virus vendors are bound to come up with signatures eventually, but evading them by publishing new, packed builds would be trivial for the malware authors,” Czub said. “The fact that the current malware is unpacked and has such a large file size yet no cross-platform support indicates a low level of sophistication on the part of the authors.”
It is important to note that Ransom32 was not initially developed with the ability to affect Mac or Linux users, as it depends upon the successful execution of a Windows.exe file to deliver its payload and present a ‘lock screen' on the user's machine.
According to self-education tooling and technical support website BleepingComputer, what makes Ransom32 so scary is that JavaScript and HTML are cross-platform and run equally as well on Macs and Linux as they do in Windows. “This means that with some minor tweaks, the Ransom32 developers could easily make NW.js packages for Linux and Mac computers. Though there does not seem to be any indication that this is being done as of yet, doing so would be trivial,” writes Lawrence Abrams.
Catalin Cosoi, chief security strategist at Bitdefender, told SCMagazineUK.com that JavaScript could mean big business for ransomware attackers. “A ransomware capable of running on all three major operating systems means a bigger market for cyber-criminals, who will target more victims and thus, raise more ransom money,” he said.
Yours to take home today, for a 25 percent cut
Ransom32 is also designed for the would-be hacker with less talent than ambition.
To help navigate through the complexities of launching and monitoring an attack, it presents the hacker with a user-friendly dashboard. The dashboard also helps specify which Bitcoin address ransom demands should be paid to and how much should be paid. The original developers of Ransom32 take a 25 percent cut of all ransom payments achieved.