First Node.js-Powered Ransomware Discovered

An anonymous reader writes: A security researcher from Emsisoft has discovered a new ransomware family coded via NW.js (formerly Node-WebKit). Why is it unique? Because it is the first of its kind to use JavaScript for the ransomware's source code, it provides cross-OS support (we may see the first universal Windows-Linux-Mac ransomware in the future), and because the security researcher describes it as "successor of CryptoLocker" when it comes to encryption quality. The ransomware, Ransom32, is offered as a RaaS service on the Dark Web, only targets Windows machines in its first version, and is currently undecryptable.

So glad we "got rid of Flash"

Not only do I still need to bend over for Adobe. Now open source can screw me too!

Re:So glad we "got rid of Flash"

[epyT-R]

Yeah we replaced actionscript with javascript. How is this really an improvement? We still have an insecure virtual machine facing the internet whenever the browser makes a request.

Re:So glad we "got rid of Flash"

How is this really an improvement?

It forces you to buy high-end hardware just to display something that flash could do 15 years ago on a P3

Re:So glad we "got rid of Flash"

[exomondo]

We still have an insecure virtual machine facing the internet whenever the browser makes a request.

Plenty of them are open source, if you find vulnerabilities get to fixing it or fund fixes to it.

Re:So glad we "got rid of Flash"

[dos1]

Okay, but how is that related? Using JavaScript with Node.js is no different than using Python with CPython, or any other interpreted language using their interpreter. The fact that browsers happen to use the same syntax for their in-page scripting doesn't mean anything here.

Re:So glad we "got rid of Flash"

[epyT-R]

Well, sure, but the best fix is to remove the VM. If you want to run code on a client machine, distribute a system binary. This way we don't have to recreate modern operating system security models all over again inside the browser.`

Re:So glad we "got rid of Flash"

[exomondo]

Well, sure, but the best fix is to remove the VM. If you want to run code on a client machine, distribute a system binary. This way we don't have to recreate modern operating system security models all over again inside the browser.`

No the best fix is to properly sandbox the VM. Otherwise every interactive website needs to have a system binary for iOS, Android, Windows, OSX, Linux, etc.

Re:So glad we "got rid of Flash"

[dave420]

"This virtual machine is too insecure! Give me a binary I can run instead!". You've really not thought this through, have you grandpa?

A First for Cross-OS Support?

[speedplane]

The article states that node.js make make this "the first cross-OS ransomware family"... sounds ludicrous considering Java has been around for decades.

Re:A First for Cross-OS Support?

[fuzzyfuzzyfungus]

And Java's predecessors were old enough to drink when Java was laid out. In fact, given that computers used to be a great deal rarer than mathematicians, it may well be argued that we've had architecture-independent programs longer than we've had architectures and certainly longer than we've had OSes.

Re:A First for Cross-OS Support?

[Holi]

Javascript is not Java

Re:A First for Cross-OS Support?

Whoosh.

What that poster was saying is that Java was already cross-platform because of its use of a JVM. Therefore, you could already write cross-platform software that could do this long before Node.js was around.

Re:A First for Cross-OS Support?

And indeed because Java demands ever more resources just to let you do what you want to do. A lot like a blackmailer.

Re:A First for Cross-OS Support?

Ok then if there is a woosh, please list the other cross platform ransomeware's. It also does not claim to be the first cross platform, it is claimed to be the first to use javascript. What it said was " Why is it unique? Because it is the first of its kind to use JavaScript for the ransomware's source code".

Re:A First for Cross-OS Support?

Nowhere in the article does it say that Node.js makes this "the first cross-OS ransomware family". The article just says that it has the potential of being "the first cross-OS ransomware family." Java could be used, as you hinted, for creating such a threat, but no ransomware author has bothered with it, to my knowledge. Don't be mad at Node.js for something that Java could have pulled in the 90s but no ransomware author wanted to touch that platform, despite the benefits.

Re:A First for Cross-OS Support?

And indeed because Java demands ever more resources just to let you do what you want to do.

Im still not sure if this continual FUD is spread by old people who haven't been able to keep up with the times or by newbies desperate to blame anybody but themselves for their poor code. We already know that by and large your assertion is not true, plenty of resources already disprove it.

Re:A First for Cross-OS Support?

[Junta]

Note that in the debian.org set, Java won on cpu speed in one benchmark, lost on all in terms of resource utilization compared to C. So compared to C, it seems to back the assertion that Java on a JVM is disadvantaged cpu/memory wise compared to a compiled C application. Of course this is a selection of benchmarks that has had the world to think about it and probably does not represent what the average developer will achieve with the respective languages.

Of course, there are a lot of languages whose runtime are as slow if not slower than Java, yet Java does continue to be the whipping boy for people wanting to talk about bad performance.

The short of it is that in the real world, the differences in the languages pale in comparison to what the developer can do. On a typical application I've encountered, generally optimizations within the way the code runs can yield given the same runtime can see an order of magnitude difference without even thinking about the relative contribution of the runtime differences from porting to another language. So it's a fascinating academic discussion, but comfort with the languages is far more important in reality. Java has suffered in practice because it's where all the developers went to churn out their dubious code...

Re: A First for Cross-OS Support?

Shut up you stupid Javarast. Java is shite and will always be. It's only used because of the sub-prevailing wage, sub-competent sub-humans from the sub-continent that use it left and right. Again only reason they are cheap.

Re:A First for Cross-OS Support?

[TheDarkMaster]

The new kids only knows Javscript, so...

Re: A First for Cross-OS Support?

So what cross platform programing languages for malware are there? This just adds another one to the list. All of them compile to ml. The code asks the machine for resource allocation, which can be hidden to the administrator, and if malware, or the requested game function,can or will be unechoed to the screen, is that so hard?

Re: A First for Cross-OS Support?

No, it does seem to claim that it would be the first cross-os ransomware (when someone gets around to making it work on the other os's).

"it provides cross-OS support (we may see the first universal Windows-Linux-Mac ransomware in the future)"

Attack vector?

[mark-t]

Specifically, what is the actual attack vector for this? All it seems like to me is that they've made a cross-platform trojan.... one that still needs to be explicitly executed by the end user. since the only self-executing js that I know of is within a web browser, and the javascript running inside of that can't even see the local filesystem, can it?

Re:Attack vector?

NW.js removes the javascript limitation and can interact with the OS's filesystem.

Re:Attack vector?

[mark-t]

The javascript that executes inside a mail reader can't see the filesystem either.

Re:Attack vector?

[fuzzyfuzzyfungus]

They are using the NW.js javascript environment, packaged in their executable, to provide javascript interpretation without the browser limitations; but according to the article it is just being used in social engineering attacks at present, not coupled with an exploit.

Presumably having the guts of the application in javascript will make the developer's life easier if he wants to produce a version for another platform and nothing prevents this being used as a payload for some other exploit that allows the attacker to execute something for you; but the current version appears to be all payload and not much delivery mechanism.

Re:Attack vector?

[mark-t]

So... trojan?

Re:Attack vector?

[mark-t]

That's not a javascript limitation, that's a limitation imposed by the web browser. To my understanding, NW.js gives access to node.js from inside DOM, and has nothing to do with the OS's filesystem. To my understanding, the node.js filesystem api is for accessing permanent storage, and has about as much to do with the real filesystem as ~/.wine/drive_c has to do with the native file system.

Re:Attack vector?

Attack vectors and payload are independent. The Malware industry uses division of labor: Some groups write payloads, some groups develop attacks, some groups open up systems and install payloads, then rent out access to these zombies. This ransomware is a payload. Any number of attack vectors can be used to install it.

Re:Attack vector?

Node.js is a stand-alone Javascript environment. It has access to OS facilities like filesystem, processes and FFI.

NW.js is "batteries included" Node.js where Webkit is used as GUI toolkit. PopcornTime is written in NW.js, AFAIK.

Re:Attack vector?

[dos1]

Download and run it. Just like lots of other trojans/ransomwares. It could have been written in Python, Ruby, Perl, whatever, there would be no difference. Someone just thought that the fact that it uses the same language that browsers happen to use for their scripting is somehow remarkable and news-worthy. It really isn't.

Re:Attack vector?

Can't see local files system? Really?

How about:
file:///c:/

Re:Attack vector?

[phantomfive]

As a hack, it's nothing interesting. Anyone can build one of these, in basically any language.

The article is interesting because it shows the trends that are going on in the malware world. Used to be malware was all C or assembly.

The screenshots in the article are worth a look too. All commercialized and everything. Reminds me of the book McMafia.

Re:Attack vector?

So... trojan?

Yes, at the moment.

I think you fail to see how this is significant:

Attackers has for the longest time separated their attack components between exploit and payload. This this case, the user is the exploit (i.e. a social engineering attack), the payload is the node.js server and the ransomware code.

Rest assured, that attackers has absolutely no qualms combining the same payload with another exploit component once an exploitable vulnerability surfaces for any operating system. Now their code will run just as well on Linux, OS X and Windows - almost any variant and any version of those OSes.

But yes, this "news" is just that the payload (the serious part of an attack) now may be written to run on cross platform on any OS.

Re:Attack vector?

[requerdanos]

Hmm. I get

File not found: Iceweasel can't find the file at /c:/.

Re:Attack vector?

[mark-t]

My point is that as a trojan, the end user still needs to explicitly launch the executable... so the only techniques that will work to propogate it are the same ones as what are used to propogate any trojan. The overall experience of using the web is not altered by this as it would be if the exploit were runnable inside of a browser window.

Good argument for using Chrome

[93+Escort+Wagon]

Since V8's randomization is flawed, anything encrypted with it should be reversible!

(I kid, I kid...)

Re:Good argument for using Chrome

Only if you work at the NSA.

Re:Good argument for using Chrome

Depends how it makes the key of course. If it uses the V8 random function it may well be possible to bruteforce decrypt it, if the keyspace is small enough due to the crappy random. If it gets the key from the server or via some cryptographic library, probably not.

Pure HTML

And this is exactly why anything but pure HTML is bad.

Re:Pure HTML

[mark-t]

Where did you see that it ever claimed to work inside of web browser?

Re:Pure HTML

while not a requirement, this would be the typical application.

Re:Pure HTML

Node-webkit stuff will definitely NOT run inside a browser. That was the entire point of node-webkit. It's a node environment fused with a webkit environment.

Which, editors, is not "node.js"; it's a fork.

Re:Pure HTML

[dos1]

Aside of the fact that it has browser engine built-in and probably uses HTML for its UI, it's absolutely unrelated to browsing or HTML in any other way.

Ransomware

Give me your money or the kitten gets it!

How is it platform independent?

[goombah99]

So it's installing a server for node JS. but that does not make it platform independent. the script side of it may be but not the backend and it has to install that too.

Re:How is it platform independent?

[exomondo]

but that does not make it platform independent.

Which is why he said cross-platform rather than "platform independent". There are many platforms that you can install a server for nodejs on.

Re:How is it platform independent?

[goombah99]

whoo hooo. By that distinction if it ran in python, or C, or Wolfram we could call it cross platform. In fact that's true of any language short of powershell or dos batch files and even there you could run them in a VM so they too are cross platform if you are willing to install a heavy weight interpreter like nodeJS.

The penalties for extortion of this kind...

[Z00L00K]

The penalties for extortion of this kind are way too mild. 25 years to life should be the range.

Add to it that this may be raising the stakes against the bitcoin economy.

Emsisoft (developer) link

http://blog.emsisoft.com/2016/...

A new funding model for the 2016 U.S. elections?

First universal Windows-Linux-Mac ransomware ..

[Marcomasino]

"The ransomware, Ransom32, is offered as a RaaS service on the Dark Web, only targets Windows machines in its first version, and is currently undecryptable."

How does this ransomware get loaded and executed on Linux and Macs?

Re:First universal Windows-Linux-Mac ransomware ..

You infect the user via a trojan that downloads the actual ransomware, which is a NW.js binary (which can easily get cross-platform support in future versions because NW.js is cool like that), which can then be automatically launched into execution in the background via multiple OS vulnerabilities that allow privilege escalation or remote code execution in older (or even newer) Mac or Linux versions. It's not that hard... but it takes a lot of effort into piecing all the code together.

Re:First universal Windows-Linux-Mac ransomware ..

Would this affect any of the BSDs?

Re:First universal Windows-Linux-Mac ransomware ..

[AC-x]

How does this ransomware get loaded and executed on Linux and Macs?

chmod +x

:)

Re:First universal Windows-Linux-Mac ransomware ..

[Lennie]

As I understand it, this ransomware is only the part that handles all the encryption and uploading the key, etc.

So this depends on an exploit, the Windows exploit will probably be different from the Mac or Linux version.

Windows desktops have a larger marketshare so that is why they are targeting that platform first ?

Re:First universal Windows-Linux-Mac ransomware ..

[dos1]

Just like any other trojan.

@samzenpus congratulations

on your 15 minutes of fame. good job.

I've seen this

[JThundley]

I think I've seen this one first hand. It was emailed to the victim posing as a Firstname Lastname resume.zip, inside was Firstname Lastname resume.js. Inside the .js was what looked like base64 being encoded to something, probably downloading and running the actual exe.

The biggest shock in all this is that Windows will execute a .js file when you double-click it. How fucking retarded is that? I'm looking at changing the default program for .js files to be notepad instead of the Windows Scripting Host.

Re:I've seen this

I think I've seen this one first hand. It was emailed to the victim posing as a Firstname Lastname resume.zip, inside was Firstname Lastname resume.js. Inside the .js was what looked like base64 being encoded to something, probably downloading and running the actual exe.

Thanks for this. I found this result - https://lgscout.com/malicious-resume-from-sammy-fields-a-less-than-ideal-candidate/
Here is a search with more info: http://www.bing.com/search?q=resume.zip%20resume.js%20%20ransom&qs=n

Your attacker may not be the same as what's reported there, considering these guys use kits based on standards... malicious open source, if you will....

Re:I've seen this

[DigiShaman]

I know i've seen it! You can thank the bastards behind Cryptowall 3.0 and 4.0 for that. Just block all attachments containing the file name resume.zip from the email server side. If anyone needs to send a resume, have HR or the hiring manager instruct them as to the proper file name and format to use.

Re:I've seen this

Not that I would ever double-click a js file but thanks for the tip

Curious

[VernonNemitz]

If a system is set up to require administer approval for installation of software, can this ransomware actually install the core utilities it needs to interact with the Operating System, without the user noticing? I'm quite willing to never install NW.js if that's all I need to, to protect myself from this.

Re:Curious

Problem is administrative access to the PC ain't what it used to be. 99.999% of anything you would want to do with an "infected" computer can be done in userspace, including ransomware. There is nothing to install, its just a giant bloated stand-alone exec with the script stuffed directly into the JS VM.

And this assumes that while you are in user-space you don't just generate a fake UAC/gtkSU/OSX elevate to get root creds just by asking for them.

Re:Curious

[dos1]

If the existence of that ransomware would prevent you from installing Node, then you should also uninstall Python, Ruby, Visual Basic, Perl etc.

The only difference is that with node-webkit you usually get the interpreter bundled together with the application - and that actually, from user PoV, makes it no different than all the other apps written in C, C++, Rust, Delphi, Go etc.

rofl

Javascript viruses ... now that's a new low.

Re: First universal Windows-Linux-Mac ransomware .

So no then.