Ransom32 is a new type of ransomware based on JavaScript, which infects users via Node.js. The ransomeware has been coded on top of the NW.js platform and it may be considered as the first cross-OS ransomware family.
NW.js platform, previously known as Node-WebKit, allows developers to create desktop applications via Node.js modules. For this purpose, they use JavaScrip and reach inside the underlying operating system’s guts, as other more powerful languages like C++, Delphi, Java, ActionScript, and C#.
NW.js uses a stripped down version of WebKit, the layout engine which is used in Chrome, Safari, and Opera, though excluding lots of its limitations. In this way, NW.js removes the browsers limits and lets JS programmers interact with the OS itself. NW.js runs on the three major operating systems, which means that ransomware coded to work on top of it would be able to target all operating systems at once.
Lately, Ransom32 has been considered as a new ransomware family using the NW.js platform for infiltrating users’ computers and encrypting their files. Similarly to the other malware, the new ransomeware is also distributed via spam email campaigns.
What malware operators do, is placing a malicious file inside emails masquerading it as unpaid invoices, delivery notifications,etc. Once this file is downloaded by the pc users, it contacts a C&C server, where the malware operator tells it to download a particular type of malware (Ransom32 for instance). In this case, the ransomware payload is a self-extracting WinRAR archive, containing a slew of files to help the ransomware compromise the user’s pc. Yet, one of the key facts concerning Ransom32 turns out to be that the ransomeware uses JavaScript instead of C++ code to infect computers.
According to Emsisoft’s Fabian Wosar, “people may dismiss it as some kind of amateurish attempt at ransomware because of the file size, but it really isn’t,” Mr. Wosar said, referring to Ransom32’s huge 32 MB file size, compared to other ransomware families that rarely go above 1 MB.
“I break a lot of ransomware every month, and the way the crypto works in Ransom32 is secure. It actually is very reminiscent of the original CryptoLocker, which almost operated identical from a cryptography point of view,” Mr. Wosar said. “If there ever was like a successor of CryptoLocker from a cryptography point of view, this would be it.”
Though, unlike many other ransomeware families, Ransom32 is currently undecryptable.
The authors of Ramsom32 operate as a Ransomware-as-a-Service from the Dark Web. They offer users the chance to sign up, create their own customized version of the Ransom32 ransomware, download it, and then distribute it to other users. The payments are sent to the Bitcoin address of Ransom32’s authors, from where they take a 25% cut, and then forward the rest of the money to the intermediaries that helped distribute the ransomware. This appears to be a delicious bite for anyone unless he is into computer technologies.
Ransom32 can also be distributed via a wide range of other channels, like malvertising, exploit kits, spear phishing, etc. Besides, the ransomeware takes only 22 MB space on the hard disk, which users would hardly notice it.
Presently, Ransom32 infects Windows machines only, though users may be one step away from seeing the first truly cross-OS ransomware family.
