Monday, January 4, 2016
Crimeware services are nothing new.
Criminals for years have advertised on the underground not only malware, but
management services and support for banking Trojans, exploit kits and more.
Researchers this
week turned up a new ransomware-as-a-service operation that pushes the
first ransomware coded entirely in JavaScript. Ransom32 is
available for download on a Tor hidden server to anyone with a Bitcoin address.
The malware packaged into a Chromium executable using NW.js. The malware looks
for and encrypts dozens of file types and asks for a ransom payable in digital
currency; Ransom32’s creators get a 25 percent commission on every transaction.
The service also includes a
management interface that allows the criminal to configure the messaging
presented to the victim and how much ransom to demand. Through this same
interface, they can also lock the infected computer, keep CPU usage low as
files are encrypted, and control latent timeouts. The interface can also be
used to track income statistics, including how many times the ransomware has
been installed, how many victims paid, and how many were shown the lockscreen,
and how much Bitcoin they’ve racked up.
The first Ransom32 infections were reported to
BleepingComputer and analyzed by researchers at Emisoft. Researcher Fabio Wosar
said the download is quite large (22 MB) compared to other ransomware. Wosar explained that Ransom32 arrives
in a WinRAR archive and contains a number of files including a Chromium
executable disguised to look like the Chrome browser, which is instead the
NW.js application that contains the malware and framework required to run it,
he said.
The use of NW.js is noteworthy
because the platform is used to develop desktop JavaScript apps not only for
Windows, but also Mac OS X and Linux.
“So while JavaScript is usually
tightly sandboxed in your browser and can’t really touch the system it runs
upon, NW.js allows for much more control and interaction with the
underlying operating system, enabling JavaScript to do almost everything
‘normal’ programming languages like C++ or Delphi can do,” Wosar said. “The
benefit for the developer is that they can turn their web applications into
normal desktop applications relatively easily. For normal desktop application
developers it has the benefit that NW.js is able to run the same
JavaScript on different platforms. So a NW.js application only needs
to be written once and is instantly usable on Windows, Linux and MacOS X.”
For now, the researchers believe that
Ransom32 is confined to Windows, but certainly with some alterations, can
become a cross-platform service.
The ransomware’s behavior is pretty
typical to other similar malware. It comes bundled with Tor, which it uses to
connect to the command and control server and the Bitcoin address where
payments are to be sent. The crypto keys are also sent via this connection.
“What makes the Ransom32 RaaS so
scary is that Javscript and HTML are cross-platform and run equally as well on
Macs and Linux as they do in Windows,” said Lawrence Abrams of
BleepingComputer. “This means that with some minor tweaks, the
Ransom32 developers could easily make NW.js packages for Linux and
Mac computer. Though there does not seem to be any indication that this is
being done as of yet, doing so would be trivial. It is inevitable that
ransomware will be created for operating systems other than Windows.
Using a platform like NW.js just brings us one step closer.”
