First Node.js-Powered Ransomware Discovered

An anonymous reader writes: A security researcher from Emsisoft has discovered a new ransomware family coded via NW.js (formerly Node-WebKit). Why is it unique? Because it is the first of its kind to use JavaScript for the ransomware's source code, it provides cross-OS support (we may see the first universal Windows-Linux-Mac ransomware in the future), and because the security researcher describes it as "successor of CryptoLocker" when it comes to encryption quality. The ransomware, Ransom32, is offered as a RaaS service on the Dark Web, only targets Windows machines in its first version, and is currently undecryptable.

So glad we "got rid of Flash"

[Anonymous Coward]

Not only do I still need to bend over for Adobe. Now open source can screw me too!

Re:

[epyT-R]

Yeah we replaced actionscript with javascript. How is this really an improvement? We still have an insecure virtual machine facing the internet whenever the browser makes a request.

Re:

[exomondo]

We still have an insecure virtual machine facing the internet whenever the browser makes a request.

Plenty of them are open source, if you find vulnerabilities get to fixing it or fund fixes to it.

Re:

[epyT-R]

Well, sure, but the best fix is to remove the VM. If you want to run code on a client machine, distribute a system binary. This way we don't have to recreate modern operating system security models all over again inside the browser.`

Re:

[exomondo]

Well, sure, but the best fix is to remove the VM. If you want to run code on a client machine, distribute a system binary. This way we don't have to recreate modern operating system security models all over again inside the browser.`

No the best fix is to properly sandbox the VM. Otherwise every interactive website needs to have a system binary for iOS, Android, Windows, OSX, Linux, etc.

Re:

[dave420]

"This virtual machine is too insecure! Give me a binary I can run instead!". You've really not thought this through, have you grandpa?

Re:So glad we "got rid of Flash"

[dos1]

Okay, but how is that related? Using JavaScript with Node.js is no different than using Python with CPython, or any other interpreted language using their interpreter. The fact that browsers happen to use the same syntax for their in-page scripting doesn't mean anything here.

Curious

[VernonNemitz]

If a system is set up to require administer approval for installation of software, can this ransomware actually install the core utilities it needs to interact with the Operating System, without the user noticing? I'm quite willing to never install NW.js if that's all I need to, to protect myself from this.

Re:

[dos1]

If the existence of that ransomware would prevent you from installing Node, then you should also uninstall Python, Ruby, Visual Basic, Perl etc.

The only difference is that with node-webkit you usually get the interpreter bundled together with the application - and that actually, from user PoV, makes it no different than all the other apps written in C, C++, Rust, Delphi, Go etc.

A First for Cross-OS Support?

[speedplane]

The article states that node.js make make this "the first cross-OS ransomware family"... sounds ludicrous considering Java has been around for decades.

Re:

[fuzzyfuzzyfungus]

And Java's predecessors were old enough to drink when Java was laid out. In fact, given that computers used to be a great deal rarer than mathematicians, it may well be argued that we've had architecture-independent programs longer than we've had architectures and certainly longer than we've had OSes.

Re:

[Holi]

Javascript is not Java

Re:

[Junta]

Note that in the debian.org set, Java won on cpu speed in one benchmark, lost on all in terms of resource utilization compared to C. So compared to C, it seems to back the assertion that Java on a JVM is disadvantaged cpu/memory wise compared to a compiled C application. Of course this is a selection of benchmarks that has had the world to think about it and probably does not represent what the average developer will achieve with the respective languages.

Of course, there are a lot of languages whose runti

Re:

[TheDarkMaster]

The new kids only knows Javscript, so...

Attack vector?

[mark-t]

Specifically, what is the actual attack vector for this? All it seems like to me is that they've made a cross-platform trojan.... one that still needs to be explicitly executed by the end user. since the only self-executing js that I know of is within a web browser, and the javascript running inside of that can't even see the local filesystem, can it?

Re:

[mark-t]

The javascript that executes inside a mail reader can't see the filesystem either.

Re:

[Anonymous Coward]

NW.js removes the javascript limitation and can interact with the OS's filesystem.

How is it platform independent?

[goombah99]

So it's installing a server for node JS. but that does not make it platform independent. the script side of it may be but not the backend and it has to install that too.

Re:

[exomondo]

but that does not make it platform independent.

Which is why he said cross-platform [slashdot.org] rather than "platform independent". There are many platforms that you can install a server for nodejs on.

Re:

[goombah99]

whoo hooo. By that distinction if it ran in python, or C, or Wolfram we could call it cross platform. In fact that's true of any language short of powershell or dos batch files and even there you could run them in a VM so they too are cross platform if you are willing to install a heavy weight interpreter like nodeJS.

Re:

[mark-t]

That's not a javascript limitation, that's a limitation imposed by the web browser. To my understanding, NW.js gives access to node.js from inside DOM, and has nothing to do with the OS's filesystem. To my understanding, the node.js filesystem api is for accessing permanent storage, and has about as much to do with the real filesystem as ~/.wine/drive_c has to do with the native file system.

Re:

[Anonymous Coward]

Node.js is a stand-alone Javascript environment. It has access to OS facilities like filesystem, processes and FFI.

NW.js is "batteries included" Node.js where Webkit is used as GUI toolkit. PopcornTime is written in NW.js, AFAIK.

Re:

[fuzzyfuzzyfungus]

They are using the NW.js [docs.nwjs.io] javascript environment, packaged in their executable, to provide javascript interpretation without the browser limitations; but according to the article it is just being used in social engineering attacks at present, not coupled with an exploit.

Presumably having the guts of the application in javascript will make the developer's life easier if he wants to produce a version for another platform and nothing prevents this being used as a payload for some other exploit that allows th

Re:

[mark-t]

So... trojan?

Re:

[mark-t]

My point is that as a trojan, the end user still needs to explicitly launch the executable... so the only techniques that will work to propogate it are the same ones as what are used to propogate any trojan. The overall experience of using the web is not altered by this as it would be if the exploit were runnable inside of a browser window.

Re:

[dos1]

Download and run it. Just like lots of other trojans/ransomwares. It could have been written in Python, Ruby, Perl, whatever, there would be no difference. Someone just thought that the fact that it uses the same language that browsers happen to use for their scripting is somehow remarkable and news-worthy. It really isn't.

Re:

[requerdanos]

Hmm. I get

File not found: Iceweasel can't find the file at /c:/.

Re:

[phantomfive]

As a hack, it's nothing interesting. Anyone can build one of these, in basically any language.

The article is interesting because it shows the trends that are going on in the malware world. Used to be malware was all C or assembly.

The screenshots in the article are worth a look too. All commercialized and everything. Reminds me of the book McMafia [amazon.com].

Good argument for using Chrome

[93 Escort Wagon]

Since V8's randomization is flawed, anything encrypted with it should be reversible!

(I kid, I kid...)

Re:

[mark-t]

Where did you see that it ever claimed to work inside of web browser?

Re:

[Anonymous Coward]

Node-webkit stuff will definitely NOT run inside a browser. That was the entire point of node-webkit. It's a node environment fused with a webkit environment.

Which, editors, is not "node.js"; it's a fork.

Re:

[dos1]

Aside of the fact that it has browser engine built-in and probably uses HTML for its UI, it's absolutely unrelated to browsing or HTML in any other way.

The penalties for extortion of this kind...

[Z00L00K]

The penalties for extortion of this kind are way too mild. 25 years to life should be the range.

Add to it that this may be raising the stakes against the bitcoin economy.

First universal Windows-Linux-Mac ransomware ..

[Marcomasino]

"The ransomware, Ransom32, is offered as a RaaS service on the Dark Web, only targets Windows machines in its first version, and is currently undecryptable."

How does this ransomware get loaded and executed on Linux and Macs?

Re:

[Anonymous Coward]

You infect the user via a trojan that downloads the actual ransomware, which is a NW.js binary (which can easily get cross-platform support in future versions because NW.js is cool like that), which can then be automatically launched into execution in the background via multiple OS vulnerabilities that allow privilege escalation or remote code execution in older (or even newer) Mac or Linux versions. It's not that hard... but it takes a lot of effort into piecing all the code together.

Re:

[dos1]

Just like any other trojan.

Re:

[AC-x]

How does this ransomware get loaded and executed on Linux and Macs?

chmod +x

:)

Re:

[Lennie]

As I understand it, this ransomware is only the part that handles all the encryption and uploading the key, etc.

So this depends on an exploit, the Windows exploit will probably be different from the Mac or Linux version.

Windows desktops have a larger marketshare so that is why they are targeting that platform first ?

I've seen this

[JThundley]

I think I've seen this one first hand. It was emailed to the victim posing as a Firstname Lastname resume.zip, inside was Firstname Lastname resume.js. Inside the .js was what looked like base64 being encoded to something, probably downloading and running the actual exe.

The biggest shock in all this is that Windows will execute a .js file when you double-click it. How fucking retarded is that? I'm looking at changing the default program for .js files to be notepad instead of the Windows Scripting Host.

Re:

[Anonymous Coward]

I think I've seen this one first hand. It was emailed to the victim posing as a Firstname Lastname resume.zip, inside was Firstname Lastname resume.js. Inside the .js was what looked like base64 being encoded to something, probably downloading and running the actual exe.

Thanks for this. I found this result - https://lgscout.com/malicious-resume-from-sammy-fields-a-less-than-ideal-candidate/
Here is a search with more info: http://www.bing.com/search?q=resume.zip%20resume.js%20%20ransom&qs=n

Your attacker may not be the same as what's reported there, considering these guys use kits based on standards... malicious open source, if you will....

Re:

[account_deleted]

Comment removed based on user account deletion