Ransom32 – the first Ransomware in JavaScript

2016 will definitely bring us many great news, but Ransom32 is surely not one of them – at least for people not involved in cybercrimes. This is a brand new Ransomware that differs from previous incarnations due to the language it has been written in – for the first time we have a Ransomware written solely in JavaScript, HTML and CSS due to the usage of the NW.js framework.

• js is a framework based on the Chromium and Node.js projects. It allows the development of Windows, Linux and Mac OS programs under JavaScript. Normal JS code is contained within the browser and cannot execute any control over your OS, but NW.js breaks these limitations and allows the programmer to use JavaScript as a traditional language like C++ can be used.

Not only that but Ransom32 comes with its own configuration setup for affiliates. A person who knows the right address on the Tor network can obtain a copy of Ransom32 for free. The signing program is open to anyone interested – the only thing you need is a Bitcoin wallet and its address.

• The Tor network is a heavily obfuscated network of anonymous sites that deals mainly with illegal activities that need the secrecy it provides. Bitcoins are untraceable online currency that has been growing in popularity over recent years. The Bitcoin-Tor tandem allows cybercriminals to receive large amounts of completely untraceable money payments and remain anonymous themselves.

More on the affiliate version of Ransom32

As mentioned if you are privy to the address from which to obtain Ransom32 the only thing you need to have is a functional Bitcoin address to provide. You’ll need it to receive 75% of any ransom paid as part of the affiliate offer promoted by this new ransomware.

It is scary how easy the affiliate version of Ransom32 is to set up – its actually more user-friendly then some commercially sold software. It actually comes with a user’s console in which you can tweak the properties of your copy of Ransom32 to your liking. Some options include:

• Setting the amount of BTC coins asked from the victims. Actually comes with advice to the wanna-be hackers not to be excessively greedy!
• An option to fully lock the user’s computer. Normally Ransom32 will deliver a pop-up every few seconds informing the user of its presence, using this option will make the virus make the computer unusable. Apparently this will also lock the browser and make payment from the same machine impossible.
• A Low-CPU usage option. Normally you can spot a ransomware by the sudden spike of CPU usage, because encryption is a slow and cumbersome process. Using this option will extend the encryption process over time, but make it much more difficult to detect.
• Show the lock screen immediately – normally Ransom32 will only inform the user of its presence once every file is encrypted. Selecting this option will show the screen immediately after the virus Is installed with the downside that the owner of the computer may copy his files before they are encypted.
• A latent timeout option – the hacker can use this to delay the start of the encryption process after Ransom32 has been installed. This trick may be used to fool some less sophisticated security programs.

Having customized his copy of Ransom32 the only thing the hacker needs to do now is download and distribute it. The Ransomware takes the form of a 22MB self-extracting RAR archive. In our test lab we discovered that once triggered the archive will transform into a number of files that are approximately 66MBs in size. The only thing needed for an infection by this executable is for it to be downloaded into the targeted computer and run in that environment.

The distribution method is left solely to the designs of the affiliate partner. People without the necessary computer skills and information are not likely to do much harm with this virus archive, but for for people that have access to spam-bots, hacked emails, Skype and Facebook accounts Ransom32 becomes a scary tool indeed.

Method of operation

When Ransom32 is run on the affected computer it will extract itself into C:\Users\CurrentUser\AppData\Roaming\Chrome Browser. All files associated with Ransom32 are deliberately made to mimic Chrome files to reduce suspicion. A shortcut under the name of ChromeService will also be added to the start menu and also to the MsConfig file, so that the process is able to start at login. This shortcut points to the chrome.exe executable file – actually a NW.js package that contains the javascript code, which carries the instructions needed to encrypt the targeted data and display the ransom note.

Here is a list of the files that come with Ransom32, as well as a rough description of their functionality:

• chrome – a license agreement for Chromium
• chrome.exe – main executable of the ransomware. In practice it is a package of NW,js code.
• ffmpegsumo.dll – this is a DLL file that comes bundled with Chromium. It is needed for the HTML5 video decoder.
• g – this is the settings file of the ransomware. It contains information about all the options selected when constructing Ransom32, as well as any added text to be added to the ransom note.
• icudtl.dat – this file is required by Chromium
• locales – this folder is actually used by Chrome to store language files
• msgbox.vbs – this file can display an additional message box accompanying the ransom note if that option is selected. If not, it is empty.
• nw.pak – The NW.JS platform requires this file in order to function
• rundll32.exe – this is actually a renamed TOR executable. It is required for communicating with the server that handles everything.
• s.exe – a renamed shortcut for a program called OptimumX. This is a legitimate program used for creating shortcuts and used in the creation of the Chromeservice shortcut.
• u.vbs – A VBS script used to delete specific folders and their content. Likely used to clean up the original files after the encrypted copies are created.

Ransom32 employs a double-timer pressure method – it will give you a very limited amount of time to make you pay a modest sum of money. Afterwards it given an extended period, but at a much higher price. This strategy is reminiscent of a marketing trick intended to make you believe you are offered a “promotion” or a “discount”.

The ransom screen is also expanded compared to more simply and direct Ransomware threats in existence. You are given the option to decrypt one file for free as proof that you’ll get your money’s worth and also has support for different languages with English being the default.

As of the time of writing of this article there is no known method to decrypt files already encrypted by the virus, but methods involving the restoration of the deleted original copies have seen some success. Should anything change in this regard we’ll be happy to report our findings as quickly as we can.

What makes Ransom32 and its usage of JavaScript and HTML so scary?

You may be wondering – what’s the deal with JavaScript and HTML? Well for people stuck on Windows the language in which the Ransomware is written hardly matters – they are equally vulnerable to all other variations of Ransomware that already exist.

The scary truth is that these languages come with multi-system functionality. Existing programs already require relatively little work in order to be made compatible with Linus and Mac OS. For years Ransomware has been the bane of computer viruses and only users on the Windows OS have been exposed to it. So far Ransom32 is only limited to Windows, but it is likely that the hackers behind it are making an effort to make it compatible with the other popular operating systems in use. Consider the fact that most data bases and servers are hosted under the Linux OS –  should Ransomware manage to cross the platform barrier the future will look much scarier for everyone that is not a cyber-criminal.