Researchers uncover first-of-its-kind JavaScript based ransomware

© Thomas Peter
A new kind Javascript-based ransomware package is reportedly being sold on the dark web. Its users log into software that is provided as a service in exchange for giving the developers a cut of their extorted profits.

Emisoft Chief Technology Officer Fabian Wosar described the malware ‒ called Ransom32 ‒ and its web interface in a blog post, saying that users log in with their Bitcoin wallet addresses. Signups and connections are hidden within the Tor network, an anonymization system that requires special software to access.

Victims have critical files on their system held for ransom behind encryption that only the attacker has the key to unlock. Once logged in, cyber criminals are presented with a settings panel where they can adjust the messages displayed to those unlucky enough to be infected. Attackers can also track the payments made and see a list of the systems that were successfully infected.

Ransom32 works across operating systems and is based on the NW.js application development framework. The JavaScript malware is delivered in the form of a file named “chrome.exe” alongside a Tor client, which anonymizes all the traffic that is sent between the attacker and the victim.

After installing itself on a victim’s computer, Ransomware uses 128-bit AES encryption to hold hostage generally important file types, such as text files, PDFs, images, databases and music. If the victim wants to access these files again, they have to send payment in the form of bitcoin to the attacker, who can then choose to unlock them. The Ransom32 developers take a 25 percent cut of all the payments.

If a victim chooses to drag their feet, the payment required to unlock their computer will increase, the malware warns.

“You only have 4 days to submit the payment. When the provided time ends, payment will increase to 1 Bitcoins,” an example of Ransom32 says, as shown by security website BleepingComputer. “Also, if you don’t pay in 7 days, your unique key will be destroyed and you won’t be able to recover your files anymore.”

READ MORE: 'Most complex malware ever': Security experts smash system that stole cash from millions

Trying to get out of the ransom without paying is similarly cautioned against.

“If you try to remove this payment platform, you will never be able to decrypt your files and they will be lost forever,” the ransomware warns.

To show that they are serious about returning files safely, Ransom32 offers a novel feature “to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption," Wosar noted. "During this process the malware will send the encrypted AES key from the chosen file to the (command and control) server and gets the decrypted per-file AES key back in return."