Difficult to block JavaScript-based ransomware can hit all operating systems

A new type of ransomware that still goes undetected by the great majority of AV solutions has been spotted and analyzed by Emsisoft researchers (via Google Translate).

Ransom32 is delivered on the victims’ computer in the form of a self-extracting WinRAR archive. It uses the built-in scripting language to unpack its contents and among the files it unpacks is one called chrome.exe.

This executable is a packed NW.js application.

NW.js is a JavaScript framework for application development. It allows developers to to create desktop applications via Node.js module, and these apps to interact with the target operating system.

An additional advantage of this type of approach is that the same JavaScript code can be packaged to run on different platforms. So far, it has been spotted targeting Windows users, but it can be easily made to hit Linux machines and Macs.

According to Emsisoft’s Fabian Wosar, the campaign delivering the sample they analyzed takes the form of bogus emails. They trick victims into downloading a file that will ultimately download Ransom32 to the computer.

The ransomware encrypts a bevy of file types, and it’s encryption scheme has yet to be broken.

But the most interesting thing about it is that it’s offered to wannabe criminals as a service.

The researchers have tracked down the Dark Web portal that criminals are directed to use, and through it they can both shape the ransomware to their needs and wants, and see the statistics (how many systems have been infected, how many users have paid the ransom, etc.):

As mentioned before, protecting yourself against this threat is difficult: NW.js is a legitimate framework, so blocking apps developed through it cannot be the right approach for security solutions.

This is partly why most of them still struggle to detect Ransom32.