Ransom32 — First JavaScript-powered Ransomware affecting Windows, Mac and Linux

Ransom32 — First JavaScript-powered Ransomware affecting Windows, Mac and Linux

Here's New Year's first Ransomware: Ransom32.

A new Ransomware-as-a-service, dubbed Ransom32, has been spotted that for the first time uses a ransomware written in JavaScript to infect Mac, Windows as well as Linux machines.

Ransom32 allows its operators to deploy the malware very quickly and easily. It has a dashboard that enables operators to designate their Bitcoin addresses to which the ransom can be sent. The dashboard also shows stats about how much Bitcoins they have made.

In short, this new ransomware-as-a-service is so simple, and efficient at the same time, that anyone can download and distribute his/her own copy of the ransomware executable as long as he/she have a Bitcoin address.

The copy of Ransom32 was first analysed by Emsisoft, which found that the new ransomware family, which embedded in a self-extracting WinRAR archive, is using the NW.js platform for infiltrating the victims' computers, and then holding their files by encrypting them with 128-bit AES encryption.

But, Why the NW.js Framework?

NW.js, formerly known as Node-WebKit, is a JavaScript framework for app development based on Node.js and Chromium. It works around normally-strict sandboxing of JavaScript, so a Web app can be repurposed for desktops without the sandbox getting in its way.

"NW.js allows for much more control and interaction with the underlying operating system (OS), enabling JavaScript to do almost everything 'normal' programming languages like C++ or Delphi can do," Emsisoft's Fabian Wosar writes.

The NW.js framework not only allows for cross-platform infections but also is harder to detect because it is a legitimate framework. Ransom32 has some resemblance to CryptoLocker that is one of the nasty ransomware that already infected millions of PCs.

Ransom32 has been traded on the dark web with the authors asking for a 25 percent cut of all ransom payments for offering its service and forwarding the rest of the amount to the operator’s Bitcoin address.