New Ransomware Thought to Affect All Computing Platforms

cybersecA new piece of malware that encrypts a victim’s files until the victim pays a ransom to decrypt them has surfaced. This new threat is called Ransom32, and it was written in Javascript, a cross-platform language that is normally used to add interactive features to web pages. Because Javascript is a portable language, executing in the same way regardless of the host operating system, Ransom32 can impact any Windows, Mac, or Linux machine. This makes it a uniquely cross-platform attack.

Javascript is the most popular language for building responsive and interactive web pages. Typically used for showing and hiding sections of web pages, populating lists, and dynamically setting text content and properties, Javascript enables web developers to write programs that run inside of web browsers. The code for a Javascript program is embedded directly within the code for the web page, or it is linked to the web page in some other way. When a user visits a page that uses Javascript, the user’s web browser sets up a virtual sandbox in which the Javascript code is supposed to execute. The purpose of the sandbox is to isolate what the Javascript program does from the operating system. The sandbox would then prevent the program from accessing the files on the user’s machine, for example, or, more specifically, from encrypting the files on the user’s machines.

Ransom32, however, escapes the sandbox. It does this using a framework called NW.js. A framework is a set of code libraries that make it easer for Javascript programmers to include sophisticated features in their applications. Specifically, the NW.js framework enables Javascript applications to work around the security sandbox and directly access operating system features that would normally be forbidden by the sandbox. Because NW.js is a legitimate framework, it is difficult to craft cyber security protections against applications that use it, because then both good and malicious applications that use NW.js would be blocked. So, bad Javascript applications like Ransom32 are allowed to pass through an organization’s defenses as easily as good applications that use NW.js.

To perpetrate the attack, a hacker typically embeds a link to the Ransom32 application in an email that tries to fool the user into clicking it. The text and appearance of the email are crafted to make it seem that the link concerns something legitimate. When the user clicks the link, the Ransom32 application loads. It immediately accesses the user’s file system and begins encrypting the files using AES-128, an industry-standard encryption algorithm. It shows the user the attacker’s bitcoin address and instructs him to pay a particular fee to that address. Once the victim pays the fee in bitcoin, his files will be decrypted. The only way to recover the files is to pay the fee.

Of course, the author of Ransom32 benefits significantly from these shenanigans, taking a 25 percent cut of the attacker’s earnings. In other words, for every 100 bitcoins paid by Ransom32 victims, the author of Ransom32 earns 25 bitcoins. That’s a pretty sweet deal.

How can users protect themselves? It’s simple: always be suspicious of links, particularly in emails. Don’t just click them. Hover over a link and carefully examine the address that shows up in the bottom left corner of the page. If the email seems to concern your online banking account, but the link address leads somewhere other than your online banking website, look away, because that link probably leads to peril, perhaps even to a Ransom32 attempt. Put your guard up and resist the urge to click.

About Ray Klump

Associate Dean, College of Aviation, Science, and Technology at Lewis University Director, Master of Science in Information Security Lewis University,, You can find him on Google+.

Leave a Reply

Your email address will not be published. Required fields are marked *