Security researchers are warning of a newly discovered Ransomware-as-a-Service campaign using malware written in JavaScript for the first time.
Fabian Wosar of security firm Emsisoft explained in a blog post that Ransom32 can be signed up to on a Tor site using just a Bitcoin address to which the spoils will be sent—minus a 25% cut.
After signing up, users will be able to access a basic admin page—enabling them to see how many systems are infected; observe how much money has been collected; and tweak various settings for the ransomware.
These include how much BTC to request from victims, and whether to fully lock the computer or allow a victim to minimize the lock screen—enabling them to check whether their files are fully encrypted or not.
Ransom32 is a 22MB self-extracting RAR file, which weighs in at over 67MB when extracted. Once run, the executable creates a shortcut, ChromeService, which points to a chrome.exe package.
This is in fact a packed NW.js application containing the JavaScript which will encrypt a victim’s computer files and pop up the ransom note.
NW.js has several advantages.
As a legitimate framework it can fly in under the radar of traditional signature defenses, and could theoretically work with a few minor adjustments on Linux and Mac OS X systems, although it’s only been observed as a Windows threat thus far.
Once Ransom32 is executed and installed, it will connect to a C&C server on Tor, note the Bitcoin address to which the victim is told to pay the ransom, and display the blackmail message.
Encryption is AES-128 bit and the malware includes an option to decrypt one file to prove to the victim it can be done.
Wosar claimed that, when it comes to ransomware, “the best protection is a well-organized backup strategy.”
He added that security tools featuring behavioral analysis to complement traditional signature techniques are more likely to catch such advanced strains.
Photo © Sergey Tarasov