Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security

First Node.js-Powered Ransomware Discovered (softpedia.com) 69

An anonymous reader writes: A security researcher from Emsisoft has discovered a new ransomware family coded via NW.js (formerly Node-WebKit). Why is it unique? Because it is the first of its kind to use JavaScript for the ransomware's source code, it provides cross-OS support (we may see the first universal Windows-Linux-Mac ransomware in the future), and because the security researcher describes it as "successor of CryptoLocker" when it comes to encryption quality. The ransomware, Ransom32, is offered as a RaaS service on the Dark Web, only targets Windows machines in its first version, and is currently undecryptable.
This discussion has been archived. No new comments can be posted.

First Node.js-Powered Ransomware Discovered

Comments Filter:
  • by Anonymous Coward

    Not only do I still need to bend over for Adobe. Now open source can screw me too!

    • Re: (Score:2, Insightful)

      by epyT-R ( 613989 )

      Yeah we replaced actionscript with javascript. How is this really an improvement? We still have an insecure virtual machine facing the internet whenever the browser makes a request.

      • We still have an insecure virtual machine facing the internet whenever the browser makes a request.

        Plenty of them are open source, if you find vulnerabilities get to fixing it or fund fixes to it.

        • by epyT-R ( 613989 )

          Well, sure, but the best fix is to remove the VM. If you want to run code on a client machine, distribute a system binary. This way we don't have to recreate modern operating system security models all over again inside the browser.`

          • Well, sure, but the best fix is to remove the VM. If you want to run code on a client machine, distribute a system binary. This way we don't have to recreate modern operating system security models all over again inside the browser.`

            No the best fix is to properly sandbox the VM. Otherwise every interactive website needs to have a system binary for iOS, Android, Windows, OSX, Linux, etc.

          • by dave420 ( 699308 )

            "This virtual machine is too insecure! Give me a binary I can run instead!". You've really not thought this through, have you grandpa?

      • by dos1 ( 2950945 ) on Sunday January 03, 2016 @06:36PM (#51232427)

        Okay, but how is that related? Using JavaScript with Node.js is no different than using Python with CPython, or any other interpreted language using their interpreter. The fact that browsers happen to use the same syntax for their in-page scripting doesn't mean anything here.

        • If a system is set up to require administer approval for installation of software, can this ransomware actually install the core utilities it needs to interact with the Operating System, without the user noticing? I'm quite willing to never install NW.js if that's all I need to, to protect myself from this.
          • by dos1 ( 2950945 )

            If the existence of that ransomware would prevent you from installing Node, then you should also uninstall Python, Ruby, Visual Basic, Perl etc.

            The only difference is that with node-webkit you usually get the interpreter bundled together with the application - and that actually, from user PoV, makes it no different than all the other apps written in C, C++, Rust, Delphi, Go etc.

  • The article states that node.js make make this "the first cross-OS ransomware family"... sounds ludicrous considering Java has been around for decades.
    • And Java's predecessors were old enough to drink when Java was laid out. In fact, given that computers used to be a great deal rarer than mathematicians, it may well be argued that we've had architecture-independent programs longer than we've had architectures and certainly longer than we've had OSes.
    • by Holi ( 250190 )
      Javascript is not Java
    • The new kids only knows Javscript, so...
  • Attack vector? (Score:4, Interesting)

    by mark-t ( 151149 ) <markt AT nerdflat DOT com> on Sunday January 03, 2016 @02:12PM (#51231339) Journal
    Specifically, what is the actual attack vector for this? All it seems like to me is that they've made a cross-platform trojan.... one that still needs to be explicitly executed by the end user. since the only self-executing js that I know of is within a web browser, and the javascript running inside of that can't even see the local filesystem, can it?
    • by Anonymous Coward

      NW.js removes the javascript limitation and can interact with the OS's filesystem.

      • by goombah99 ( 560566 ) on Sunday January 03, 2016 @03:21PM (#51231623)

        So it's installing a server for node JS. but that does not make it platform independent. the script side of it may be but not the backend and it has to install that too.

        • but that does not make it platform independent.

          Which is why he said cross-platform [slashdot.org] rather than "platform independent". There are many platforms that you can install a server for nodejs on.

        • whoo hooo. By that distinction if it ran in python, or C, or Wolfram we could call it cross platform. In fact that's true of any language short of powershell or dos batch files and even there you could run them in a VM so they too are cross platform if you are willing to install a heavy weight interpreter like nodeJS.

      • by mark-t ( 151149 )
        That's not a javascript limitation, that's a limitation imposed by the web browser. To my understanding, NW.js gives access to node.js from inside DOM, and has nothing to do with the OS's filesystem. To my understanding, the node.js filesystem api is for accessing permanent storage, and has about as much to do with the real filesystem as ~/.wine/drive_c has to do with the native file system.
        • by Anonymous Coward

          Node.js is a stand-alone Javascript environment. It has access to OS facilities like filesystem, processes and FFI.

          NW.js is "batteries included" Node.js where Webkit is used as GUI toolkit. PopcornTime is written in NW.js, AFAIK.

    • They are using the NW.js [docs.nwjs.io] javascript environment, packaged in their executable, to provide javascript interpretation without the browser limitations; but according to the article it is just being used in social engineering attacks at present, not coupled with an exploit.

      Presumably having the guts of the application in javascript will make the developer's life easier if he wants to produce a version for another platform and nothing prevents this being used as a payload for some other exploit that allows th
      • by mark-t ( 151149 )
        So... trojan?
    • by dos1 ( 2950945 )

      Download and run it. Just like lots of other trojans/ransomwares. It could have been written in Python, Ruby, Perl, whatever, there would be no difference. Someone just thought that the fact that it uses the same language that browsers happen to use for their scripting is somehow remarkable and news-worthy. It really isn't.

    • As a hack, it's nothing interesting. Anyone can build one of these, in basically any language.

      The article is interesting because it shows the trends that are going on in the malware world. Used to be malware was all C or assembly.

      The screenshots in the article are worth a look too. All commercialized and everything. Reminds me of the book McMafia [amazon.com].
  • Since V8's randomization is flawed, anything encrypted with it should be reversible!

    (I kid, I kid...)

  • The penalties for extortion of this kind are way too mild. 25 years to life should be the range.

    Add to it that this may be raising the stakes against the bitcoin economy.

  • "The ransomware, Ransom32, is offered as a RaaS service on the Dark Web, only targets Windows machines in its first version, and is currently undecryptable."

    How does this ransomware get loaded and executed on Linux and Macs?
    • by Anonymous Coward

      You infect the user via a trojan that downloads the actual ransomware, which is a NW.js binary (which can easily get cross-platform support in future versions because NW.js is cool like that), which can then be automatically launched into execution in the background via multiple OS vulnerabilities that allow privilege escalation or remote code execution in older (or even newer) Mac or Linux versions. It's not that hard... but it takes a lot of effort into piecing all the code together.

    • by AC-x ( 735297 )

      How does this ransomware get loaded and executed on Linux and Macs?

      chmod +x

      :)

    • by Lennie ( 16154 )

      As I understand it, this ransomware is only the part that handles all the encryption and uploading the key, etc.

      So this depends on an exploit, the Windows exploit will probably be different from the Mac or Linux version.

      Windows desktops have a larger marketshare so that is why they are targeting that platform first ?

  • I've seen this (Score:5, Insightful)

    by JThundley ( 631154 ) on Sunday January 03, 2016 @06:49PM (#51232489)

    I think I've seen this one first hand. It was emailed to the victim posing as a Firstname Lastname resume.zip, inside was Firstname Lastname resume.js. Inside the .js was what looked like base64 being encoded to something, probably downloading and running the actual exe.

    The biggest shock in all this is that Windows will execute a .js file when you double-click it. How fucking retarded is that? I'm looking at changing the default program for .js files to be notepad instead of the Windows Scripting Host.

    • by Anonymous Coward

      I think I've seen this one first hand. It was emailed to the victim posing as a Firstname Lastname resume.zip, inside was Firstname Lastname resume.js. Inside the .js was what looked like base64 being encoded to something, probably downloading and running the actual exe.

      Thanks for this. I found this result - https://lgscout.com/malicious-resume-from-sammy-fields-a-less-than-ideal-candidate/
      Here is a search with more info: http://www.bing.com/search?q=resume.zip%20resume.js%20%20ransom&qs=n

      Your attacker may not be the same as what's reported there, considering these guys use kits based on standards... malicious open source, if you will....

    • Comment removed based on user account deletion

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...