Ransom32 Is a JavaScript-Based Ransomware That Uses Node.js to Infect Users

Share this…

Ransom32 may be the first cross-OS ransomware family. A new type of ransomware has been spotted, the first of its kind, a ransomware that uses JavaScript to infect its users, being coded on top of the NW.js platform.

NW.js, formerly known as Node-WebKit, is a powerful platform that allows developers to create desktop applications via Node.js modules. The platform lets programmers use JavaScript in the same way, and with the same power and reach inside the underlying operating system’s guts, as other more powerful languages like C++, Delphi, Java, ActionScript, and C#.

If the name hasn’t tipped you off yet, NW.js uses a stripped down version of WebKit, the same layout engine used in Chrome, Safari, and Opera, but without many of its limitations. While browsers limit what JavaScript code can do, NW.js removes these limits and allows JS developers to interact with the OS itself.

NW.js can run on all three major operating systems, meaning that ransomware coded to work on top of it would theoretically be able to target all operating systems at once.

Using Node.js to infect and encrypt user files

According to Emsisoft’s Fabian Wosar, a new ransomware family that goes under the name of Ransom32 is using the NW.js platform for infiltrating the victims’ computers, and then locking their files.

As Mr. Wosar told Softpedia, Ransom32 is currently distributed only via spam email campaigns. This is a classic method of distributing any type of malware, not just ransomware, and is not unique to Ransom32.

Malware operators place a malicious file inside emails masquerading as unpaid invoices, delivery notifications, and such, which when downloaded and launched by unsuspecting victims go on to contact a C&C (command and control) server, where the malware operator tells it to download a particular type of malware (Ransom32 in this case).

For Ransom32 infections, the ransomware payload is a self-extracting WinRAR archive, which contains a slew of files to help the ransomware compromise the user’s computer. If you’d like to read about Ransom32’s step-by-step infection method, we recommend reading Mr. Wosar’s technical write-up about Ransom32’s modus operandi.

“They kind of picked a bad time to launch their campaign really. The earliest samples I could find in our data sets date back to December 19th. Most people already went off to their holidays at that point. So I would be tempted to say we haven’t seen it in full force yet,” Mr. Wosar told Softpedia.

“Obviously, you could also argue they picked a great time to launch their campaign, given that even 4 days after I wrote that blog post, AV detection is still pretty much non-existent,” Mr. Wosar also noted, pointing Softpedia to a minutes-old Ransom32 sample (at the time of the article), detected only by three antivirus engines on VirusTotal.

Ransom32 is not the work of an amateur

But besides the odd period to launch a ransomware campaign, Ransom32 stood out in our eyes for other things as well, and the biggest of them was for using JavaScript instead of C++ code to infect computers.

We reached out to Mr. Wosar and his experience in dealing with ransomware for a few extra clarifications.

“It’s technically not the best solution for creating cross-OS threats. It is certainly a viable one. There are many frameworks you could use to accomplish something like that. Java or even .NET for example,” said Mr. Wosar.

“The benefit of NW.js though is, that with all these other frameworks you need the ‘runtime’ installed on the system already. This can be the .NET framework or Mono in case of .NET or the Java Runtime in case of Java. NW.js has this neat way of packing the runtime and your NW.js into one single executable. So you don’t rely on the user having some kind of existing framework installed.”

“At the moment Ransom32 doesn’t take advantage of it [NW.js] fully yet, but it easily could. Whether other groups will adopt similar frameworks most likely depends on how successful Ransom32 turns out to be,” Mr. Wosar said about the chances of seeing more Node.js-powered ransomware in the future.

Ransom32 includes top-shelf quality encryption

“People may dismiss it as some kind of amateurish attempt at ransomware because of the file size, but it really isn’t,” Mr. Wosar said, referring to Ransom32’s huge 32 MB file size, compared to other ransomware families that rarely go above 1 MB.

“I break a lot of ransomware every month, and the way the crypto works in Ransom32 is secure. It actually is very reminiscent of the original CryptoLocker, which almost operated identical from a cryptography point of view,” Mr. Wosar told Softpedia. “If there ever was like a successor of CryptoLocker from a cryptography point of view, this would be it.”

Ransom32’s ransom message

Ransom32's ransom message

Ransom32 is currently undecryptable, which says a lot, since Mr. Wosar has decrypted many ransomware families in the past, like Radamant, Gomasom, and DecryptorMax.

Ransom32 authors operate as a Ransomware-as-a-Service from the Dark Web

As for its origins, Mr. Wosar also tracked down the ransomware to a RaaS (Ransomware-as-a-Service) portal on the Dark Web (Tor network).

Here, the ransomware’s authors are offering anyone the chance to sign up, create their own customized version of the Ransom32 ransomware, download it, and then distribute it to other users.

All payments are sent to the Bitcoin address of Ransom32’s authors, from where they take a 25% cut, and then forward the rest of the money to the intermediaries that helped distribute the ransomware.

“Since pretty much everyone can get ‘their’ malware, distribution channels can be as diverse as the people who sign up for it. It’s not like exploit kits have a file size limit for example,” said Mr. Wosar, hinting at the fact that Ransom32 can also be distributed via a wide range of other channels, like malvertising, exploit kits, spear phishing, and so on.

“While 22 MB sounds quite large, the reality is it takes less than 2 seconds with my connection to download it, and I doubt many people would actually notice that 22 MB if it was downloaded in the background by a malware downloader or an existing infection,” Mr. Wosar added.

Currently, only Windows machines have been infected, but we may be one update cycle away from seeing the first truly cross-OS ransomware family.

Ransom32’s RaaS sign-up page

Ransom32's RaaS sign-up page