You are here

First JavaScript-only ransomware as a service poses new threat

public://pictures/Stu Sjouwerman.jpg
Stu Sjouwerman, Founder and CEO, KnowBe4

Cybercrime piggybacked on the extremely successful software-as-a-service model in 2015, as several strains of ransomware as a service (RaaS), including TOX, Fakben and Radamant, emerged. 

Now a new strain, Ransom32, has added a twist: It was fully developed in JavaScript, HTML and CSS, which potentially allows for multi-platform infections by repackaging it for Linux and Mac OS X.

Using JavaScript brings us one step closer to the "write-once-infect-all" threat. Here's what the attack looks like: 

For the moment it's only a Windows executable, and don't confuse Java with JavaScript. Both have a similar syntax, but they're otherwise completely different. Java is a (buggy) object-oriented programming language, originally developed by Sun and now owned by Oracle. 

JavaScript is an object-oriented, client-side scripting language that's implemented in the browser. Without JavaScript, most of the interactive features of almost every site on the Web would not be possible. That's why you can't just disable JavaScript: That would break a large part of the Web.

Radicati Group: Information Archiving Market Quadrant Report 2019

How the bad guys implement it  

NW.js lets you take node.js, standard JavaScript scripts, and Chromium and bundle them into a single executable. When you run this executable, Chrome executes and launches the JavaScript scripts. This allows any whitehat or blackhat developer to create and distribute native apps that run just like a normal executable. The malware package is a self-extracting RAR file of 22MB, which expands to over 67MB.

Using this architecture, the attackers can encrypt client-side files without using many resources, and in this way stay under the radar to prevent detection. Ransom32 targets only specific file extensions and encrypts them using AES (Advanced Encryption Standard), but uses wildcards like .*sav* to maximize its effectiveness.  A large benefit for the malware author derives from the fact that NW.js is a legitimate framework and application, so it comes as no surprise that antivirus signature coverage is still very poor in this area.

[ Webinar: Data protection: Your biggest reputational risk? ]

How ransomware as a service works

Any newbie cybercriminal can easily go to a dark web TOR site, register with Bitcoin addresses, and configure and download his very own customized version of the executable. The developers take a 25 percent cut of all ransom payments, and then forward the rest to their criminal affiliate.

It's easy to use different Bitcoin addresses to run multiple campaigns, while the executables can be spread by way of the usual infection vectors, such as massive spray-and-pray phishing campaigns, targeted spearphishing, malvertising with poisoned ads on websites compromised with exploit kits that facilitate drive-by-downloads of the RaaS executable, manually hacking Linux servers or brute-force attacks on terminal servers. 

The scary part

Larry Abrams at Bleepingcomputer put it best: "No administrative rights necessary. Runs under the security context of the user. The ransomware itself isn't a big deal at all. It must be executed, just like any other executable because that is what it is, or installed via an exploit just like all other ransomware.

"The main point is that it is created in JavaScript. JavaScript is cross-platform and so is node.js. Using NW.js, it would be trivial to take this JavaScript/node.js program and easily generate packages that run on Linux or Macs as well. You now have one codebase that works on all three major server and desktop environments. Then it just becomes up to the affiliate to decide how they distribute the ransomware package. With any would-be criminal able to easily signup, the sky is the limit. That is the scary part."

He summarized with this shorthand: "Uses AES encryption. Affiliate service. No way to decrypt for free at this time. Extracts to folder in %Temp% and %AppData%\Chrome Browser. Creates startup called ChromService. Uses TOR to communicate with C2."

What to do about it

It is still early days, and at the moment there is no known way to decrypt the files for free, but if malware researchers reverse engineer the code and find a way to get your files back, I will update this post.

Your best protection remains a solid and proven backup strategy, with regular off-site copies. For mitigation purposes, you should treat this like any other ransomware. Continue blocking executables from running from standard paths (%appdata%, %temp%, etc). Finally, step your users through effective security awareness training that includes frequent simulated phishing attacks.

[ Get Report: Gartner Market Guide for Data Masking ]