NW.js platform, previously known as Node-WebKit, allows developers to create desktop applications via Node.js modules. For this purpose, they use JavaScrip and reach inside the underlying operating system’s guts, as other more powerful languages like C++, Delphi, Java, ActionScript, and C#.
NW.js uses a stripped down version of WebKit, the layout engine which is used in Chrome, Safari, and Opera, though excluding lots of its limitations. In this way, NW.js removes the browsers limits and lets JS programmers interact with the OS itself. NW.js runs on the three major operating systems, which means that ransomware coded to work on top of it would be able to target all operating systems at once.
Lately, Ransom32 has been considered as a new ransomware family using the NW.js platform for infiltrating users’ computers and encrypting their files. Similarly to the other malware, the new ransomeware is also distributed via spam email campaigns.
According to Emsisoft’s Fabian Wosar, “people may dismiss it as some kind of amateurish attempt at ransomware because of the file size, but it really isn’t,” Mr. Wosar said, referring to Ransom32’s huge 32 MB file size, compared to other ransomware families that rarely go above 1 MB.
“I break a lot of ransomware every month, and the way the crypto works in Ransom32 is secure. It actually is very reminiscent of the original CryptoLocker, which almost operated identical from a cryptography point of view,” Mr. Wosar said. “If there ever was like a successor of CryptoLocker from a cryptography point of view, this would be it.”
Though, unlike many other ransomeware families, Ransom32 is currently undecryptable.
The authors of Ramsom32 operate as a Ransomware-as-a-Service from the Dark Web. They offer users the chance to sign up, create their own customized version of the Ransom32 ransomware, download it, and then distribute it to other users. The payments are sent to the Bitcoin address of Ransom32’s authors, from where they take a 25% cut, and then forward the rest of the money to the intermediaries that helped distribute the ransomware. This appears to be a delicious bite for anyone unless he is into computer technologies.
Ransom32 can also be distributed via a wide range of other channels, like malvertising, exploit kits, spear phishing, etc. Besides, the ransomeware takes only 22 MB space on the hard disk, which users would hardly notice it.
Presently, Ransom32 infects Windows machines only, though users may be one step away from seeing the first truly cross-OS ransomware family.