Ransom32: The first javascript ransomware

Published: 2016-01-04
Last Updated: 2016-01-04 21:45:43 UTC
by Manuel Humberto Santander Pelaez (Version: 1)
2 comment(s)

We have all seen how ransomware is becoming a pretty common trend in cybercrimes. Well, there is a new variant and this one has been build using javascript. This malware fakes the NW.js framework. Once installed, connects to its C&C server on TOR network port 85 to get the bitcoin address and the crypto key used for encryption.

This trend is not new and we have seen how malware is being build more and more sophisticated to avoid being detected by any antimalware control at the endpoint. You have to integrate endpoint security with network security and correlate any possible alerts that might indicate an incident happening, like a computer being connected to TOR network.

More information at http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org


2 comment(s)


Who needs antimalware to fight such bloody trivial malware?
It's a self-extracting executable archive built with WinRAR, kids!
Someone has to run this self-extractor.
Fortunately Microsoft built SAFER alias Software Restriction Policies into (all! editions of) Windows more than 15 years ago, and hey, they also wrote some comprehensive guidance: https://technet.microsoft.com/en-us/library/cc786941.aspx, https://technet.microsoft.com/en-us/library/cc507878.aspx, https://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx, ...
Others chimed in: http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf, http://csrc.nist.gov/itsec/SP800-68r1.pdf, http://www.asd.gov.au/infosec/top35mitigationstrategies.htm, ...

In practice, read and follow http://mechbgon.com/srp/index.html or http://home.arcor.de/skanthak/SAFER.html

If you are still running an ancient Windows without SAFER: use NTFS ACLs, add an ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories" to each and every %USERPROFILE%
"Anonymous" above pretty much nailed that one. We do that as a group policy, and it cut out a lot of issues.

Diary Archives