Each new year brings unexpected surprises, some good and some bad. This blog is about a bad surprise for 2016, the first new malware of the year: Ransom32.

A new variety of much-hated ransomware has hit the Internet. This new ransomware is unique because it is the first known ransomware written in JavaScript. It is provided through Tor as a Ransomware-as-a-Service (RaaS) based on the cloud model so familiar in the IT industry today.

Ransom32 allows infection and encryption of nearly every operating system you can name: Mac, Windows and Linux are all vulnerable to this malware. It is the first ransomware programmed entirely in JavaScript, HTML and CSS. Since it is written in such a way, it allows for easy modification and adaptation to the different operating systems running in your network.

As of now, there is no known way to decrypt your files if Ransom32 encrypts them. It is extremely important that you ensure you have valid and useable back-ups for all your important files to prevent catastrophic loss if this malware infects your system.

So how does this ransomware work? First, a hacker signs up for the RaaS utilizing a Bitcoin address via a Tor affiliate. This allows the criminal access to the “affiliate console” where they are able to configure their settings on how the malware should be executed and monitor the progress of their personal distribution campaign. 

Image source: http://www.bleepingcomputer.com/news/security/ransom32-is-the-first-ransomware-written-in-javascript/

Ransom32 allows the criminal to specifically design the ransomware for targeted victims. It provides constant updates as to how many victims have successfully installed the malware, how much ransom to demand, whether or not to fully lock the computer and more. It truly is a service allowing a high degree of control to the attacker.

Here is a little more detail on how this particular ransomware will infect your systems.

Ransom32 comes packaged as a self-extracting WinRAR archive. The malware code is stored in a file named “chrome.exe” which looks like an executable for the Google Chrome web browser. It is actually, however, a file packaged using NW.js. NW.js is a cross-platform development framework that allows programs to be written in popular technologies such as HTML, CSS, and JavaScript. This allows the malware to interact with a wide variety of operating systems, as mentioned before.

Put simply, you do not want to be infected with ransomware! Last year saw numerous ransomware infections and a host of problems caused by this type of malware. Since ransomware is profitable, we can only expect the criminals to continue to improve and deploy such malware. Ransom32 has only been seen as a Windows infection, but the new programming allows for easy modification to other platforms, so beware. 2016 is only beginning, and as you can see, the criminals are not resting or enjoying time off. 

As we enter a new year, we are here to help. Here are some important ideas you should consider to help protect you from ransomware threats:

  • Always keep and test regular backups of your important data.
  • Make sure you run an updated active anti-virus security suite on your system.
  • Do not open email attachments from unknown sources.
  • Always browse the Internet safely.
  • Train your employees in proper Internet safety and how to spot fake emails.

NTT Security Incident Response Services can assist your organization with planning and responding to cyber security incident. Contact NTT Security today to learn more about how we can help protect your organization.

References:

http://www.securityweek.com/ransom32-javascript-ransomware-offered-service

http://www.bleepingcomputer.com/news/security/ransom32-is-the-first-ransomware-written-in-javascript/

http://thehackernews.com/2016/01/javascript-ransomware-malware.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29