Meet Ransom32: The first JavaScript ransomware

Meet Ransom32: The first JavaScript ransomware

Software as a service (or SaaS) is a relatively new model of how a lot of software companies are conducting their business today – often to great success. So it comes as no surprise that malware writers and cyber crooks are attempting to adopt this model for their own nefarious purposes. In the past year a whole bunch of these “Ransomware as a Service” campaigns appeared, like for example Tox, Fakben or Radamant. Today we want to spotlight the newest of these campaigns.

Meet Ransom32

At first glance Ransom32 looks like a dime a dozen among many similar malware campaigns. Signups are handled via a hidden server in the Tor network. A simple Bitcoin address where you want the funds generated by your ransomware to be sent to is enough to signup.

All you need to get your own customized ransomware is a Bitcoin address to send your earnings to

All you need to get your own customized ransomware is a Bitcoin address to send your earnings to

After you type in your Bitcoin address, you will get access to the rudimentary administration panel. In the admin panel, you can get various statistics, like for example how many people already paid or how many systems were infected. You can also configure your “client”, which is their term for the actual malware. It is possible to change the amount of Bitcoins the malware will ask for, as well as configure parameters like fake message boxes the malware is supposed to show during install.

Ransom32 admin

A web interface allows you to see how many systems the malware has infected, how many Bitcoins it earned and allows you to further customize the malware

A click on “Download client.scr” will then generate the malware according to the specifications and will start the download of the more than 22 MB large malware file. At this point it becomes evident that Ransom32 is very different to other ransomware, which rarely exceed 1 MB in size. In fact, most ransomware authors use the small size of their malicious files as some kind of unique selling point when advertising their campaigns in underground hacker communities. Ransom32 definitely had our interest.

Unwrapping the behemoth

After further examination the downloaded file turned out to be a WinRAR self-extracting archive:

The content of the Ransom32 SFX archive

The content of the Ransom32 SFX archive

The malware uses the script language implemented in WinRAR to automatically unpack the content of the archive into the user’s temporary files directory and execute the “chrome.exe” file contained in the archive. The files within the archive have the following purposes:

  • “chrome” contains a copy of the GPL license agreement.
  • “chrome.exe” is a packaged NW.js application and contains the actual malware code as well as the framework required to run the malware.
  • “ffmpegsumo.dll”, “nw.pak”, “icudtl.dat” and “locales” contain data that are required by the NW.js framework to function properly.
  • “rundll32.exe” is a renamed copy of the Tor client.
  • “s.exe” is a renamed copy of Optimum X Shortcut, a utility to create and manipulate Desktop and start menu shortcuts.
  • “g” contains the malware’s configuration information as configured in the web interface.
  • “msgbox.vbs” is a small script that displays a customizable popup message and is used to display the configured message box.
  • “u.vbs” is a small script that enumerates, and deletes all files and folders in a given directory.
The "g" file contains the malware's configuration formatted as JSON

The “g” file contains the malware’s configuration formatted as JSON

The most interesting part by far in that package is the “chrome.exe”. Upon first inspection, “chrome.exe” looks suspiciously like a copy of the actual Chrome browser. Only the lack of a proper digital signature and version information hints that this file is not the actual Chrome browser. Upon further inspection, it turned out that this file is a packaged NW.js application.

Using modern web-based technologies for ransomware

So what is NW.js exactly? NW.js is essentially a framework that allows you to develop normal desktop applications for Windows, Linux and MacOS X using JavaScript. It is based upon the popular Node.js and Chromium projects. So while JavaScript is usually tightly sandboxed in your browser and can’t really touch the system it runs upon, NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything “normal” programming languages like C++ or Delphi can do. The benefit for the developer is that they can turn their web applications into normal desktop applications relatively easily. For normal desktop application developers it has the benefit that NW.js is able to run the same JavaScript on different platforms. So a NW.js application only needs to be written once and is instantly usable on Windows, Linux and MacOS X.

This also means, that at least in theory, Ransom32 could easily be packaged for both Linux and Mac OS X. That being said at this point we haven’t seen any such packages, which at least for the moment makes Ransom32 most likely Windows-only. Another large benefit for the malware author is that NW.js is a legitimate framework and application. So it is no surprise that even almost 2 weeks after the malware was first created, signature coverage is still incredibly bad.

Once Ransom32 arrives on a system and is executed, it will first unpack all its files into the temporary files folder. From there it copies itself into the “%AppData%\Chrome Browser” directory. It uses the bundled “s.exe” file to create a shortcut in the user’s Startup folder named “ChromeService” that will make sure the malware is being executed on every boot. The malware will then start the bundled Tor client to establish a connection to its command and control server (C2 server) hidden inside the Tor network on port 85. After a successful connection with the C2 server to negotiate the Bitcoin address the affected user is supposed to send the ransom to, as well as exchanging the cryptographic key used for encryption, the malware will eventually display its ransom note.

The ransom note displayed by the malware

The ransom note displayed by the malware

It then starts encrypting the user’s files. All files with one of the following file extensions are being targeted:

*.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.3dm, *.max, *.accdb, *.db, *.dbf, *.mdb, *.pdb, *.sql, *.*sav*, *.*spv*, *.*grle*, *.*mlx*, *.*sv5*, *.*game*, *.*slot*, *.dwg, *.dxf, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, *.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd, *.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.xqx, *.ai, *.eps, *.ps, *.svg, *.swf, *.fla, *.as3, *.as, *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm, *.sldx, *.sldm, *.wav, *.mp3, *.aif, *.iff, *.m3u, *.m4u, *.mid, *.mpa, *.wma, *.ra, *.avi, *.mov, *.mp4, *.3gp, *.mpeg, *.3g2, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.m3u8, *.csv, *.efx, *.sdf, *.vcf, *.xml, *.ses, *.dat

The malware will not attempt to encrypt any files if they are located in a directory that contains any of the following strings:

  • :\windows\
  • :\winnt\
  • programdata\
  • boot\
  • temp\
  • tmp\
  • $recycle.bin\

Files are being encrypted using AES with a 128 bit key using CTR as a block mode. A new key is being generated for every file. The key is encrypted using the RSA algorithm and a public key that is being obtained from the C2 server during the first communication.

Part of the custom protocol exchange between Ransom32 and its command and control server to exchange Bitcoin address (purple) and public key (length yellow, key green)

Part of the custom protocol exchange between Ransom32 and its command and control server to exchange Bitcoin address (purple) and public key (length yellow, key green)

The encrypted AES key is being stored together with the AES encrypted data inside the now encrypted file.

The malware also offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption. During this process the malware will send the encrypted AES key from the chosen file to the C2 server and gets the decrypted per-file AES key back in return.

How can I protect myself from Ransom32?

As explained in our recent ransomware article, the best protection remains a solid and proven backup strategy. Once again though, the behavior blocker technology used by Emsisoft Anti-Malware and Emsisoft Internet Security proved to be the second best defense, as all our users once again are protected from this and hundreds of different ransomware variants without the need of signatures.

Users of Emsisoft Anti-Malware and Emsisoft Internet Security are protected from Ransom32 and other ransomware families by the behavior blocker

Users of Emsisoft Anti-Malware and Emsisoft Internet Security are protected from Ransom32 and other ransomware families by the behavior blocker

We consider ransomware one of the biggest threats of the past year and plan to do our best to continue our excellent track record in the next year, to keep our users as protected as possible.

On that note, the malware research team here at Emsisoft wishes everyone a happy and malware-free new year.

Last but not least, we want to thank our friends over at BleepingComputer, who brought this threat to our attention first. We also would like to extend our gratitude to xXToffeeXx of BleepingComputer in particular, for her invaluable help and input while researching and reverse engineering this particular ransomware.

  • #1: Correct me if I’m wrong, but WinRAR is the attack vector because of the script language implemented in WinRAR?
    #2: You have to download the file and execute it in order to start the chain of infection? Or is it a drive by download and executed without user interaction?

    • Fabian Wosar

      WinRAR isn’t the attack vector. The attack vector can be literally anything. They just chose to use WinRAR by default. It could have been a 10 kb downloader that just downloads the other components in the background, any kind of setup like NSIS, Inno or MSI. It could be 7-Zip or WinZIP which both allow for automatically starting an application after unpacking the SFX. It could be a custom dropper altogether. There is no limitation really. It solely depends on the creativity of the person who chose to affiliate with Ransom32 on how to distribute it.

      • Thanks for clearing up! Great article btw!

      • HaroldCallahan

        A lot of those attack vectors don’t work on Linux. You can’t download and run code components in the background, because downloaded files on Linux don’t have the executable bit set, so they cannot run. You can’t run it in the browser environment because it’s sandboxed and has no access to your files. You can’t use self-extract archives because they won’t have the executable bit set. You can’t use post-extract scripting because Linux archivers don’t support that functionality for reasons of security. Of course there is always a way, but it’s MUCH harder on Linux.

        • A lot of that is false, due to several reasons.

          Downloaded files don’t have the executable bit set by default, but there’s nothing stopping the downloaded from setting it to on.

          Yes, the browser environment is sandboxed on Linux, but it’s also sandboxed on Windows with pretty identical safeguards in place. (No filesystem access allowed, restricted API usage, no access to any other processes or windows, etc.) This is usually executed by escaping an inferior plugin sandbox, like Java or Adobe Acrobat. Chrome’s sandbox is actually very well-implemented.

          Self-extract can certainly be done, you don’t need any “special” software. Just write a program that extracts a resource and runs it.

          Post-extract scripting is just a glorified way to chain commands. If you managed to extract the archive, you probably already have code execution capabilities.

          At the end of the day, this is all just a matter of finding an exploit in an internet-facing program — like an outdated browser plugin — and taking advantage of it. There’s no security superiority to Linux in that regard. (Yes, Linux has jails to provide sandbox capabilities, but some plugins may not play along and require exclusion)

          • HaroldCallahan

            There are no reputable Linux downloader programs that set the executable bit of downloaded files. None. Your web browser will not do it. You cannot do it through Javascript. The user has to do it separately. Of course, if your downloader program itself IS a virus, then the downloader program can do it. But then you already have a virus.

            There are no reputable Linux archive extraction programs that run post-extraction scripts. None. Of course, if your archive extraction program itself IS a virus, then the archive extraction program can do it. But then you already have a virus.

            Do you see the difference? On Windows, downloaded files are executable BY DEFAULT. On Windows, post-extraction scripts are run BY DEFAULT. On Linux, the user has to do two things instead of one. The user must set the executable bit, and run the program. Or the user must extract the archive, and run the post-extraction script. That’s the only difference. It sounds small. But it makes a WORLD of difference in real life.

          • Read what I wrote. I’m not talking about a user downloading and running something, I’m talking about a browser/plugin exploit doing all of this. It’s not uncommon and has been one of the primary attack vectors for tens of years.

            Also, any package manager sets the executable bit.
            Every. Single. One. How do you think setup scripts are run?

          • HaroldCallahan

            You may be talking about a browser/plugin exploit, but I’m not. A browser/plugin exploit is just about the only attack vector that still works on Linux. All the other ones are shut down. Those other ones do matter. If you don’t understand that social engineering is a big source of malware then you’re not serious about security.

            Package managers require root permission to run, and Linux does a much better job of segregating this functionality than Windows.

          • I know that, but it’s as easy on Linux. The user could be tricked into downloading a .deb file (“you need a plugin”) and installing it with the package manager. Linux is usually associated with people who know to avoid this, but that doesn’t mean there aren’t a lot of inexperienced Linux users who could also fall for this.

          • Lars Jeppesen

            That would require root permission

          • Which is achieved through the usual “we need your password to continue” prompt. Most (if not all) Linux desktop users have root/sudo permission on their machine.

          • Chrome doesn’t work with adobe acrobat or java anymore.
            Those both use outdated APIs that chrome no longer supports

          • That doesn’t stop attackers from tricking innocent users with “you need Java” prompts to install their malicious software, masquerading as plugins. Worse, it helps their case. (The browser genuinely shows a “this plugin is not supported” frame)

            For Firefox users, NPAPI plugins are still a possible attack vector.

          • Very true. This is one reason I use ublock origin.

            It has an anti malware domain block list.

            Perfect? No. Helps? Yes.

        • Fabian Wosar

          I don’t consider adding a line of code to your exploit that does a chmod on your executable or using an archive format that maintains the executable bit like tar “MUCH harder”. Sorry. Even on Windows, what it boils down to in the majority of all cases is getting the user to do something they shouldn’t be doing. Linux and Mac users in my experience are just as gullible. There is a reason why in many Linux themed IRC channels there are FAQs linked in the topic description that warn users from running certain commands, like ‘rm -Rf /’ or ‘:(){:|:&};:’, because too many of them will execute anything someone tells them blindly without thinking, trashing their machine.

          So while the delivery mechanism will certainly be different based on the different design of the OS, it’s not in any way harder to recreate many of the highly successful infection methods that trick thousands of Windows users a day on Linux.

  • Richard Hummel

    It would be nice to have some actual IOCs to block against this activity and conduct my own research

    • Fabian Wosar

      They are all listed in the article. Just not in a “convenient” block. Hashes can be found in the VT report linked. Here is the list:

      Folder:
      “%APPDATA%Chrome Browser”

      File:
      “%APPDATA%MicrosoftWindowsStart MenuProgramsStartupChromeService.lnk”

      SHA-1 hash:
      59a7469ae77d719108f82eb36a0157d93c9555a2

  • bsusan

    …but still people are falling prey to it via email downloads, amirite? I think the problem needs to also be addressed there, more than just wiping everything and restoring from backups.

    Would also be interested in seeing how software companies are providing cross-platform security software and work together to ensure people’s safety.

  • razorsbk

    So if the user stores his personal files in %programdata% he won’t be affected by this, right ?

    • Fabian Wosar

      Technically correct. However, storing your data in an unusual place and hoping that will protect you from ransomware is not a valid strategy to deal with threats like this one. Backups are more convenient and more secure than trying to hide your files.

      • razorsbk

        I definitely agree. I have one more question: this ransomware /others affect only the %systemdrive% or all the partitions with data they found ?

        • Fabian Wosar

          All drives/partitions.

          • razorsbk

            Thank you!

  • Ken Dwight

    Fabian, thank you for your excellent research and documentation on this new threat vector. As I read it, disabling JavaScript won’t block this exploit, as the code to execute the JS program is contained within the malware executable — is that correct?

    • Fabian Wosar

      That is correct. Disabling JavaScript in your browser won’t stop this malware from functioning.

  • Title is wrong this ransomware is partly writen in Javascript but it is not an “in browser Javascript attack” so it is always based on the same way of “download & run” done by the biggest security hole in computer’s history, the one that is located between the chair and the keyboard isn’t it ?

    The title brought me here but I am dissapointed, I thought it was a ransomware that could execute thru simple javascript inside a web page (thus would have been in fact very dangerous) but it is not, it’s only a usual Ransomware/Virus that could be written in any other langage.

    • Fabian Wosar

      The malware is fully implemented in JavaScript. The framework it uses isn’t. But if you want to apply that logic, all malware must be C malware, because the systems they run on are most likely written in C. Windows API or glibc are frameworks, just like NW.js is.

      In general, having a predetermined notion of what JavaScript is supposed to be (running in a browser on the client) doesn’t make the headline wrong. Every node.js developer on earth will disagree vehemently with your notion of JavaScript for example.

      • “having a predetermined notion of what JavaScript is supposed to be (running in a browser on the client) doesn’t make the headline wrong” this is why I think you are wrong because people (except developpers which I am part of) think javascript is something that exist only inside a web browser so reading your headline let them think this malware is new because it is executed/installed/run directly from the in-browser javascript motor and doing so simply because you opened an infected web page containing this particular javascript. This is not true, in this case this malware is like any other, you get infected because you downloaded and executed an infected file (unless I misread your article).

        The fact that a malware may is written in javascript (in fact executed thru NW.js motor that is a Windows executable binary) is something new yes, but it’s an unrelevant information except for developers/geeks because normal users are not interested about knowing which langage has been used to write the malware.

        Malwares can be written in almost any langage, and depending what they need to do they can stay at a high level interpreted/scripted langage, or must be compiled into executable binary to produce standard app/service or use C to compile and produce low level driver.

        And please don’t mix up API and Framework when you say Windows API is a framework “like glibc or NW.js” you are wrong.

        • Fabian Wosar

          Point out any part of the core malicious routines involved in C2 communication or file encryption that wasn’t implemented in JavaScript and I can change the headline. In all other cases, it’s a pointless discussion.

  • janiewc

    Does this ransomware also affect connected hard drives and backup systems as others in the past?

    • Fabian Wosar

      It does, yes.

  • David Neesen

    As it encrypts files, does it leave any instructional files in the impacted directory (decrypt.html for example)?

    • Fabian Wosar

      No, it does not. No changed file extensions either. Only indication is the ransom screen displayed by the malware itself.

  • Aleks

    Hello, i want to research this service,can you give .onion link for this

    • Youtube Dude

      Here u go: hxxp://ransom32vgzgvkrz.onion/ (replace the xx in hxxp with tt)

  • Matthew Goldman

    This may be an over simplification – but given that the malware only encrypts your files *after* it’s established communication with its C2 server, and given that we know it reaches out on port 85, which is not used for anything, would blocking port 85 outbound on the perimeter prevent the malware from encrypting a user’s files?

    • Fabian Wosar

      In theory, yes. Problem is, that technically the the connection to port 85 is local, as that is the port the Tor client bundled with Ransom32 was configured to listen to. The connection to port 85 on the C2 server is within the Tor network. So you won’t see that connection on any firewall, as it is wrapped within the Tor protocol that most likely looks like regular TLS traffic to you. You can attempt to block Tor altogether, but a lot of people tried that and the Tor developers are pretty good at dodging any attempts to identify and block Tor traffic.

  • justrite

    Just to clarify the extent of the HDD encryption, would my backup HDD which runs constantly and is located
    in my desktop tower also get encrypted along with my “C” HDD?

    • MP

      Yes it will if the files can be seen by the system. All shares and folders the user has access too would be encrypted hence it would be good to remove the drive when not in use and do regular offline backups. Also offsite backups are a better solution as well.

  • Dan

    Definitely a poser since until I found your article I thought this was like Vawtrak which only used tor2web; using TOR browser renamed, yow,,,due to TOR’s nature and that of relevant new locker, files (and thus hashes) could keep AV sigs/hashes lagging due to polymorphic file names et al. Instead of case-by-case behavior warnings which many might think are normal Windows 10 or other common items getting “false positives”, maybe simply block TOR browser mixed in with non-TOR files at download (under option “possible PUP”), somehow block Ransom32/TOR key exchanges, or should even admins use non-privileged accounts to thwart malware installs? I wish Emsisoft well in dealing with this, as you’re one of my go-to AVs and further the longer no “instant stop” exists the more likely more bad guys will want to grow Ransom32’s reach.

  • Ravana Brahma Rakshas

    you should send this information to fbi to find these bastards and shoot them.

  • Fuzzee Lowgeek

    Does Ransomware attack also shared folders? If I backup to a shared folder, do I risk infection?
    Thanks.

    • Christian

      Yes. Typically it encrypts all files that are in reach of your user account. Therefore you should always store your backups on devices are are disconnected most of the time.

      • Fuzzee Lowgeek

        Thanks. What if I use an imaging software? Would multi-gigabyte image files also be at risk?

        • SM Of Malta

          An FTP server will be fine.

  • Northcountry native

    I see that emsisoft can protect but what other programs will do the same?

    • According to VirusTotal scan, nearly all well known Anti-Virus.

      • Northcountry native

        So my av and antimalware got it set.

        • ALYac
          AVG
          AVware
          Ad-Aware
          AhnLab-V3
          Avast
          Avira
          BitDefender
          CAT-QuickHeal
          Comodo
          Cyren
          DrWeb
          ESET-NOD32
          Emsisoft
          F-Secure
          Fortinet
          GData
          Ikarus
          K7AntiVirus
          K7GW
          Kaspersky
          McAfee
          McAfee-GW-Edition
          MicroWorld-eScan
          Microsoft
          Panda
          Rising
          Sophos
          Symantec
          Tencent
          TrendMicro
          TrendMicro-HouseCall
          VIPRE
          nProtect

          • Chiron

            Thanks a lot Tim! I’ve been looking for a new decent malware-protection software after Emsisoft left us high and dry with our WinXP and tried to push in Win10 instead, and upon your words as well as the info I then found on the web it looks like Webroot should suit fine me and my associates for at least another 4 years.
            And then… well, in the meantime Microsoft might finally succeed developing another decent, discrete and fast OS to replace XP – hope is still tax-free, I suppose ;-)

    • Tim

      I just had it get past Symantec endpoint protection only to be stopped by Webroot SecureAnywhere.

      • MP

        Hi Tim
        Thats great news re Webroot considering we are moving all clients to it at the moment. :)
        NEVER been a fan of Symantec nor McAfee to be honest.
        Over 20 years, most systems infected are with the above.

        • Tim

          I have moved 145 systems to Webroot over the last few months and since it works fine along side other AV we are leaving the existing protection in place until it’s license expires. I have been seeing 5 to 10 times a week that Webroot stops what the others don’t

  • Cihan Erdem

    hi all, i can help you to decrypt your “.vvv, .ecc, .ezz, .exx, .xyz, .zzz, .aaa, .abc, .ccc” files, please contact me by mcerdem82@yahoo.com

  • disqus_aLQ5C9VbIK

    hi :) I have a question.
    how did you know that “Files are being encrypted using AES with a 128 bit key using CTR as a block mode.” ?
    where is key file ? or … where is something about AES file..? :(

  • Wow, great write up. Didn’t know randomwares worked this way, how you get a cut of the profit etc.