Skip to main content

A new breed of ransomware is on the rise

Recently, there has been evidence of the growth of the JavaScript-associated ransomware known as Ransom32.

With JavaScript being the popular programming language of HTML and the Web, it has been the popular choice for hackers to use to develop drive-past browser attacks. Furthermore, now that JavaScript has extensions such as Angular.js and Node.js for development simplification and server-side programming (respectively) these have provided it with greater breadth as a platform or framework.

However, it is the JavaScript development of Node-Webkit (NW.js), a JavaScript-based framework that combines Webkit (the rendering engine used in Safari, Chrome and Opera) with Node.js. that has enabled this new breed of Ransomware, Ransom32 to emerge.
This is because NW.js allows web-developers to write display code, such as the popup messages and forms that Ransom32 shows, in HTML, CSS and JavaScript. What’s more, it works across many different browsers.

However, getting the victim to download the payload is not a trivial matter. According to “This can be the difficult part, especially with this particular piece of software, which clocks in at more than 20 megabytes. The victim will have to be somewhat dedicated in getting hold of it, but this can be achieved with relative ease if phony downloads of popular things are used. One idea to deploy this might be to simply make it seem to be a movie or something on a torrent site,” suggests writer and hardware hacker PH Madore.

"Anti-virus vendors are bound to come up with signatures eventually, but evading them by publishing new, packed builds would be trivial for the malware authors."

Image source: Shutterstock/Martial Red