New JavaScript Ransomware Sold as a Service

Crimeware services are nothing new. Criminals for years have advertised on the underground not only malware, but management services and support for banking Trojans, exploit kits and more.

Researchers this week turned up a new ransomware-as-a-service operation that pushes the first ransomware coded entirely in JavaScript. Ransom32 is available for download on a Tor hidden server to anyone with a Bitcoin address. The malware packaged into a Chromium executable using NW.js. The malware looks for and encrypts dozens of file types and asks for a ransom payable in digital currency; Ransom32’s creators get a 25 percent commission on every transaction.

ransom32_join

The service also includes a management interface that allows the criminal to configure the messaging presented to the victim and how much ransom to demand. Through this same interface, they can also lock the infected computer, keep CPU usage low as files are encrypted, and control latent timeouts. The interface can also be used to track income statistics, including how many times the ransomware has been installed, how many victims paid, and how many were shown the lockscreen, and how much Bitcoin they’ve racked up.

The first Ransom32 infections were reported to BleepingComputer and analyzed by researchers at Emisoft. Researcher Fabio Wosar said the download is quite large (22 MB) compared to other ransomware. Wosar explained that Ransom32 arrives in a WinRAR archive and contains a number of files including a Chromium executable disguised to look like the Chrome browser, which is instead the NW.js application that contains the malware and framework required to run it, he said.

The use of NW.js is noteworthy because the platform is used to develop desktop JavaScript apps not only for Windows, but also Mac OS X and Linux.

“So while JavaScript is usually tightly sandboxed in your browser and can’t really touch the system it runs upon, NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything ‘normal’ programming languages like C++ or Delphi can do,” Wosar said. “The benefit for the developer is that they can turn their web applications into normal desktop applications relatively easily. For normal desktop application developers it has the benefit that NW.js is able to run the same JavaScript on different platforms. So a NW.js application only needs to be written once and is instantly usable on Windows, Linux and MacOS X.”

For now, the researchers believe that Ransom32 is confined to Windows, but certainly with some alterations, can become a cross-platform service.

The ransomware’s behavior is pretty typical to other similar malware. It comes bundled with Tor, which it uses to connect to the command and control server and the Bitcoin address where payments are to be sent. The crypto keys are also sent via this connection.

“What makes the Ransom32 RaaS so scary is that Javscript and HTML are cross-platform and run equally as well on Macs and Linux as they do in Windows,” said Lawrence Abrams of BleepingComputer. “This means that with some minor tweaks, the Ransom32 developers could easily make NW.js packages for Linux and Mac computer. Though there does not seem to be any indication that this is being done as of yet, doing so would be trivial. It is inevitable that ransomware will be created for operating systems other than Windows.  Using a platform like NW.js just brings us one step closer.”