Analyzing Ransom32, the first JavaScript ransomware variant

[steven36]

Ransom32 is a new crypto-ransomware variant recently reported, it is the first ransomware variant that has been developed in the JavaScript.

Ransom32 is a new crypto-ransomware variant that was first reported on December 29th, 2015, by an infected user on the Bleeping Computer forums. It is the first ransomware variant that has been developed in the JavaScript scripting language.

Additionally, Ransom32 joins a group of Ransomware-as-a-Service (RaaS) offerings that have become more and more common throughout 2015.

 

Prospective malware distributors can sign-up to become a Ransom32 affiliate via accessing a hidden server on the Tor network. Only one piece of information is required to sign-up; a Bitcoin address. Upon signing up to distribute Ransom32, the prospective criminal is granted access to a Web Control Panel that serves as a centralized location allowing for the configuration and generation of unique Ransom32 payload files.

 

Furthermore, this control panel allows the distributor to observe and review statistics for their Ransom32 distribution campaign(s). Statistics that are displayed include, but are not limited to:

• # of Infected Users
• # of Victims that Paid the Ransom

The Ransom32 Control Panel also allows the distributor to configure several different parameters, such as:

• Configuration of the “client” (personalized Ransom32 binary)
• Amount to charge for ransom (in BTC)
• Whether or not you wish for any message boxes to pop-up during the installation of the malware, and if so, what text should be displayed in these message boxes
• After the desired configuration changes are made, a simple click of a button is all that is required for the newly-customized Ransom32 payload file to be generated and downloaded.

The malware payload is quite large, totaling of 22 MB in size.

 

Breaking Down the Ransom32 Binary

A closer look at the newly-generated, freshly-downloaded Ransom32 malware payload reveals that the downloaded payload file is actually a WinRAR self-extracting archive. Built-in scripts within the WinRAR application instruct the device to unpack the archive and execute a file within the archive that carries out the malware’s core functions, “chrome.exe”.

 

The Files Packed Within the Archive

Several files have been packed within the WinRAR self-extracting archive that is downloaded upon the payload’s generation. These files are listed and described below.

 

“chrome”

This file contains a copy of the GPL licensing agreement

 

“chrome.exe”

A packaged NW.js application; this binary file contains the actual core functions carried out and executed by Ransom32. This application also contains the framework required for the malware to be successfully executed.

 

“ffmpegsumo.dll”, “nw.pak”, “icudtd.dat”, “locales”

These files contain data that is required by the NW.js framework to properly function.

 

“rundll32.exe”

This file is a renamed copy of the Tor client, which is utilized for key retrieval, Bitcoin address retrieval, and communication with Ransom32’s command-and-control (C2) server.

 

“s.exe”

This file is actually a renamed copy of Optimum X Shortcut, a utility that is used to create and manipulate Desktop and Start Menu shortcuts.

 

“g”

This file contains the malware’s configuration information as it was configured by the distributor in the Ransom32 Control Panel, during the initial payload generation phase. The contents of this file is formatted as JSON.

 

“msgbox.vbs”

This file is a simple script that displays a message box on the infected device; this script will only be executed had the distributor enabled and configured message boxes to be displayed during the Ransom32 installation process.

 

“u.vbs”

This file is actually a small script that performs destructive tasks; this script enumerates and deletes all files and folders within a given directory.

Of all the files compressed within the archive, the most interesting file is the “chrome.exe” binary, that appears to be nearly-identical to the actual, legitimate “chrome.exe” binary. However, the lack of a proper digital signature and invalid or non-existent version information indicates that this file is not the actual, legitimate “chrome.exe” binary. In fact, it is a packaged NW.js application.

 

How Ransomware Leverages Web-Based Technologies

The NW.js framework allows for the development of normal desktop applications utilizing JavaScript. These applications are vendor-neutral, therefore, a single script written in JavaScript when utilizing NW.js can be executed on Windows, Linux and Mac OS X. While JavaScript is essentially a browser-based language that is limited by your browser’s sandbox, whose interaction with the underlying host OS is limited at best, NW.js breaks these boundaries, allowing for more interaction with the underlying host OS.

This means that NW.js allows for scripts written in JavaScript to basically contain the functionality and gain the ability of scripts written in programming languages such as C++.

 

Mechanism of Action

 

Ransom32 encrypts files with the following extensions:

*.jpg, *.jpeg, *.raw, *.tif, *.gif, *.png, *.bmp, *.3dm, *.max, *.accdb, *.db, *.dbf, *.mdb, *.pdb, *.sql, *.*sav*, *.*spv*, *.*grle*, *.*mlx*, *.*sv5*, *.*game*, *.*slot*, *.dwg, *.dxf, *.c, *.cpp, *.cs, *.h, *.php, *.asp, *.rb, *.java, *.jar, *.class, *.aaf, *.aep, *.aepx, *.plb, *.prel, *.prproj, *.aet, *.ppj, *.psd, *.indd, *.indl, *.indt, *.indb, *.inx, *.idml, *.pmd, *.xqx, *.xqx, *.ai, *.eps, *.ps, *.svg, *.swf, *.fla, *.as3, *.as, *.txt, *.doc, *.dot, *.docx, *.docm, *.dotx, *.dotm, *.docb, *.rtf, *.wpd, *.wps, *.msg, *.pdf, *.xls, *.xlt, *.xlm, *.xlsx, *.xlsm, *.xltx, *.xltm, *.xlsb, *.xla, *.xlam, *.xll, *.xlw, *.ppt, *.pot, *.pps, *.pptx, *.pptm, *.potx, *.potm, *.ppam, *.ppsx, *.ppsm, *.sldx, *.sldm, *.wav, *.mp3, *.aif, *.iff, *.m3u, *.m4u, *.mid, *.mpa, *.wma, *.ra, *.avi, *.mov, *.mp4, *.3gp, *.mpeg, *.3g2, *.asf, *.asx, *.flv, *.mpg, *.wmv, *.vob, *.m3u8, *.csv, *.efx, *.sdf, *.vcf, *.xml, *.ses, *.dat

 

Additionally, Ransom32 takes preventive measures to ensure that the malware executes successfully, without causing damage to the underlying OS. Ransom32 will not encrypt any files, regardless of their extension, if they are located in a directory whose name contains any of the following strings:

• :\windows\
• :\winnt\
• programdata\
• boot\
• temp\
• tmp\
• $recycle.bin\
•  

Ransom32 utilizes AES encryption with a 128-bit key using a CTR block mode to encrypt all supported files that it enumerates.

 

A new key is generated for every supported file that is enumerated; these keys are then encrypted using the RSA algorithm with a public key that was obtained from its Command-and-Control (C2) Server during the initial communications between the C2 server and the infected host.

Affected files now contain both an encrypted version of affected file’s data along with the now-encrypted AES key that was used to compromise the original file data.

As seen with many other malware authors, the Ransom32 authors offer a decryption utility that is provided after the successful payment, clearing, and verification of the ransom payment.

 

The malware authors offer to decrypt a single affected file for free, to prove that they are capable of doing so.

 

Ransom32’s Ransom Note

 

Sources

Special thanks to Fabian Wosar of Emsisoft.

Meet Ransom32: The first JavaScript ransomware

Bleeping Computer

About the Author Michael Fratello

Michael Fratello is a Security Engineer employed by CipherTechs, Inc., a privately held information security services provider located in downtown Manhattan, New York.  Specializing in Penetration Testing and Digital Forensics, Michael, a St. John’s University graduate majoring in Computer Security Systems, has developed a passion for information security and often spends his free time studying, programming, and researching the exponentially growing number of threats found in-the-wild today.

Edited by Pierluigi Paganini

 

News Source  Security Affairs

 

 

[Akaneharuka]

Human nowadays

 

If they only use this knowledge to make the good thing the world will be more peaceful    

[straycat19]

As I have stated in other post threads, this cannot run on any of our computers because step 3 and 4 cannot take place since nothing is allowed to run from any %appdata% folder on our systems.  Anyone's personal computer I have ever worked on since the release of Windows 7 has had this same protection put in place.  Since the inception of ransomware, I have only seen one actual production computer that was infected with this and that was one that belonged to an affiliate that we had no control over but was restored from the previous days backup.

[steven36]

40 minutes ago, straycat19 said:

As I have stated in other post threads, this cannot run on any of our computers because step 3 and 4 cannot take place since nothing is allowed to run from any %appdata% folder on our systems.  Anyone's personal computer I have ever worked on since the release of Windows 7 has had this same protection put in place.  Since the inception of ransomware, I have only seen one actual production computer that was infected with this and that was one that belonged to an affiliate that we had no control over but was restored from the previous days backup.

What are you talking about the 1st case of this was Just discovered December 29th, 2015 you act like its been around for years ?

 

The person  at .bleepingcomputer.com  was on Windows  10  that was infected

http://www.bleepingcomputer.com/forums/t/600794/ransom32-ransomware-support-topic/

[straycat19]

Ransomware (which is a category, not a single program) in one form or another has been around for years, this is just a new form and my comment was generic not directed specifically toward "RANSOM32" ransomware.  Since the release of Windows 7, the system was changed to put the temp files in the Appdata folder.  Regardless of the operating system if you block anything from running from it then 99% of all malware will not be able to run on a system, and with just a modicum of common sense that can easily be increased to a guaranteed 100%.  That is in my 15 years of testing viruses and malware I find this to be true.  I just downloaded 125 GB of new malware/virus files that were found in the last month's collection period, which is much larger than normal, but probably due to the holidays and variations in the way the malware is deployed.  It takes a while to test them since they are individually encrypted to prevent dissemination outside of authorized channels and prevent accidental infection.

 

[steven36]

15 minutes ago, straycat19 said:

Ransomware (which is a category, not a single program) in one form or another has been around for years, this is just a new form and my comment was generic not directed specifically toward "RANSOM32" ransomware.  Since the release of Windows 7, the system was changed to put the temp files in the Appdata folder.  Regardless of the operating system if you block anything from running from it then 99% of all malware will not be able to run on a system, and with just a modicum of common sense that can easily be increased to a guaranteed 100%.  That is in my 15 years of testing viruses and malware I find this to be true.  I just downloaded 125 GB of new malware/virus files that were found in the last month's collection period, which is much larger than normal, but probably due to the holidays and variations in the way the malware is deployed.  It takes a while to test them since they are individually encrypted to prevent dissemination outside of authorized channels and prevent accidental infection.

 

Buy 2014  just  one strain of ransom ware had done held  over 600K  pcs hostage encrypted-5-billion files  . It don't sound like no one can get infected to me?  Im sure  the number  is much higher  by now because its expected  to grow  in 2016.

http://www.pcworld.com/article/2600543/cryptowall-held-over-halfamillion-computers-hostage-encrypted-5-billion-files.html

http://www.securitymagazine.com/articles/86787-ransomware-attacks-to-grow-in-2016

Quote

The number of cyberattacks where malware holds user data “hostage” is expected to grow in 2016 as hackers target more companies and advanced software is able to compromise more types of data, according to a report from Intel Corp.’s McAfee Labs.

“Ransomware” is malicious software that allows a hacker to access an individual or company’s computers, encrypt sensitive data and then demand some form of payment to decrypt it. Doing so essentially lets hackers hold user data or a system hostage.

McAfee Labs researchers saw more than 4 million samples of ransomware in the second quarter of 2015, including 1.2 million that were new, and expects those instances to grow in 2016. That compares to fewer than 1.5 million total samples in the third quarter 2013, when fewer than 400,000 were new.

The report examines current trends in cybercrime and makes predictions about what the future may hold for organizations working to keep pace with business and technology opportunities, and the cybercriminals that target them.

2016 Threat Predictions

The 2016 threat predictions run the gamut of trends, from the likely threats around ransomware, attacks on automobile systems, infrastructure attacks, and the warehousing and sale of stolen data, among other likely issues in 2016: 

 

• Hardware. Attacks on all types of hardware and firmware will likely continue, and the market for tools that make them possible will expand and grow. Virtual machines could be targeted with system firmware rootkits.
• Ransomware. Anonymizing networks and payment methods could continue to fuel the major and rapidly growing threat of ransomware. In 2016, greater numbers of inexperienced cybercriminals will leverage ransomware-as-a-service offerings which could further accelerate the growth of ransomware.
• Wearables. Although most wearable devices store a relatively small amount of personal information, wearable platforms could be targeted by cybercriminals working to compromise the smartphones used to manage them. The industry will work to protect potential attack surfaces such as operating system kernels, networking and Wi-Fi software, user interfaces, memory, local files and storage systems, virtual machines, web apps, and access control and security software.
• Attacks through employee systems. Organizations will continue to improve their security postures, implement the latest security technologies, work to hire talented and experienced people, create effective policies, and remain vigilant. Thus, attackers are likely to shift their focus and increasingly attack enterprises through their employees, by targeting, among other things, employees’ relatively insecure home systems to gain access to corporate networks.
• Cloud services. Cybercriminals could seek to exploit weak or ignored corporate security policies established to protect cloud services. Home to an increasing amount of business confidential information, such services, if exploited, could compromise organizational business strategy, company portfolio strategies, next-generation innovations, financials, acquisition and divestiture plans, employee data and other data.
• Automobiles. Security researchers will continue to focus on potential exploit scenarios for connected automobile systems lacking foundational security capabilities or failing to meet best practice security policies. IT security vendors and automakers will proactively work together to develop guidance, standards and technical solutions to protect attack surfaces such as vehicle access system engine control units (ECUs), engine and transmission ECUs, advanced driver assistance system ECUs, remote key systems, passive keyless entry, V2X receiver, USBs, OBD IIs, remote link type apps and smartphone access.
• Warehouses of stolen data. Stolen personally identifiable information sets are being linked together in big data warehouses, making the combined records more valuable to cyber-attackers. The coming year will see the development of an even more robust dark market for stolen personally identifiable information and usernames and passwords.
• Integrity attacks. One of the most significant new attack vectors will be stealthy, selective compromises to the integrity of systems and data. These attacks involve seizing and modifying transactions or data in favor of the perpetrators, such as a malicious party changing the direct deposit settings for a victim’s paychecks and having money deposited into a different account. In 2016, McAfee Labs predicts that we could witness an integrity attack in the financial sector in which millions of dollars could be stolen by cyber thieves.
• Sharing threat intelligence. Threat intelligence sharing among enterprises and security vendors will grow rapidly and mature. Legislative steps may be taken making it possible for companies and governments to share threat intelligence. The development of best practices in this area will accelerate, metrics for success will emerge to quantify protection improvement, and threat intelligence cooperatives between industry vendors will expand.

Predictions through 2020

The five year look ahead attempts to predict how the types of threat actors will change, how attackers’ behaviors and targets will change, and how the industry will meet these challenges over the next five years:

• Below-the-OS attacks. Attackers could look for weaknesses in firmware and hardware as applications and operating systems are hardened against conventional attacks. The lure would be the broad control attackers can potentially gain through these attacks, as they can conceivably access any number of resources and commandeer administration and control capabilities.
• Detection evasion. Attackers will attempt to avoid detection by targeting new attack surfaces, employing sophisticated attack methods, and actively evading security technology. Difficult-to-detect attack styles will include fileless threats, encrypted infiltrations, sandbox evasion malware, exploits of remote shell and remote control protocols, and the aforementioned, below-the-OS attacks targeting and exploiting master boot records (MBR), BIOS, and firmware.
• New devices, new attack surfaces. While there has not yet been a surge in IoT and wearable attacks, by 2020 we may see install bases of these systems reach substantial enough penetration levels that they will attract attackers. Technology vendors and vertical solution providers will work to establish user safety guidance and industry best practices, as well as build security controls into device architectures where appropriate.
• Cyberespionage goes corporate. McAfee Labs predicts that the dark market for malware code and hacking services could enable cyberespionage malware used in public sector and corporate attacks to be used for financial intelligence-gathering and the manipulation of markets in favor of attackers.
• Privacy challenges, opportunities. The volume and value of personal digital data will continue to increase, attracting cyber thieves, and potentially leading to new privacy regulations around the world. Concurrently, individuals will seek and receive compensation for sharing their data, a market will develop around this “value exchange,” and the environment this market shapes could change how individuals and organizations manage digital privacy.
• Security industry response. The security industry will develop more effective tools to detect and correct sophisticated attacks. Behavioral analytics could be developed to detect irregular user activities that might indicate compromised accounts. Shared threat intelligence is likely to deliver faster and better protection of systems. Cloud-integrated security could improve visibility and control. Finally, automated detection and correction technology promises to protect enterprises from the most common attacks, freeing up IT security staff to focus on the most critical security incidents.

The full report is at http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf

 

 

[straycat19]

Those who don't administer thousands of PCs and are responsible for their protection are obviously not the ones that should participate in a discussion on security.  So to educate the masses I suggest they search for Applocker on technet and check out the information on the following sites.

 

https://community.spiceworks.com/topic/389016-need-help-with-gpo-to-block-exe-s-in-appdata-folder?page=1

http://kwsupport.com/2013/10/block-executables-from-appdata-folder/

http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/

http://www.thirdtier.net/ransomware-prevention-kit/

I refuse to get into an argument or discussion with an unarmed person.

[steven36]

41 minutes ago, straycat19 said:

Those who don't administer thousands of PCs and are responsible for their protection are obviously not the ones that should participate in a discussion on security.  So to educate the masses I suggest they search for Applocker on technet and check out the information on the following sites.

 

https://community.spiceworks.com/topic/389016-need-help-with-gpo-to-block-exe-s-in-appdata-folder?page=1

http://kwsupport.com/2013/10/block-executables-from-appdata-folder/

http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/

http://www.thirdtier.net/ransomware-prevention-kit/

I refuse to get into an argument or discussion with an unarmed person.

its not a argument  bro its reality You are saying something don't exist in pcs  newer than  windows 7  when people gets infected with it everyday on every windows version  and there's even a strain of it on Linux  server . Kaspersky  just  give out keys to unlock  peoples windows pcs for ransomware not long ago and dr web and  bit defender made a fix for that one on Linux  server  . Its not even just a windows problem no more  its spread to other O/S even.

How to prevent ransomware: What one company learned the hard way

Quote

Your best defense: Back up, back up, back up

Full story

http://www.pcworld.com/article/2901672/how-to-prevent-ransomware-what-one-company-learned-the-hard-way.html

 

All that stuff  you posted  can be found here  in this post  from 2013 and more can be found here

http://www.welivesecurity.com/2013/12/12/11-things-you-can-do-to-protect-against-ransomware-including-cryptolocker/

 

But  still its a ever evolving threat that's very much alive today

 

 

 

[straycat19]

Millions of people get phished, hacked, and attacked, but it doesn't happen on a network or PC where the person maintaining it is cognizant of the necessity for security beyond useless AV software and other archaic security instruments.  Security today requires technical expertise, research and testing, and collaboration with security officers of other organizations and institutions.  I could care less what happens to millions of idiots who have no clue on how to protect their systems.   And you are wrong in your comment that what I am saying doesn't apply on systems newer than Windows 7, it also applies on Windows 8.1 and Windows 10 and you would know this if you did some research since even Applocker is available in those versions, which makes configuration easier than using GPO.  

[steven36]

1 minute ago, straycat19 said:

Millions of people get phished, hacked, and attacked, but it doesn't happen on a network or PC where the person maintaining it is cognizant of the necessity for security beyond useless AV software and other archaic security instruments.  Security today requires technical expertise, research and testing, and collaboration with security officers of other organizations and institutions.  I could care less what happens to millions of idiots who have no clue on how to protect their systems.   And you are wrong in your comment that what I am saying doesn't apply on systems newer than Windows 7, it also applies on Windows 8.1 and Windows 10 and you would know this if you did some research since even Applocker is available in those versions, which makes configuration easier than using GPO.  

Its never happened  on my home network ether .  But it  seems to happen to many people .

 

Interesting  read here about  how they think its going too spread  in too everything  that has a computer in it.

http://www.makeuseof.com/tag/beyond-computer-5-ways-ransomware-will-take-captive-future/

 

I hope this never  really happens.

 

[davmil]

10 hours ago, straycat19 said:

Millions of people get phished, hacked, and attacked, but it doesn't happen on a network or PC where the person maintaining it is cognizant of the necessity for security beyond useless AV software and other archaic security instruments.  Security today requires technical expertise, research and testing, and collaboration with security officers of other organizations and institutions.  I could care less what happens to millions of idiots who have no clue on how to protect their systems.   And you are wrong in your comment that what I am saying doesn't apply on systems newer than Windows 7, it also applies on Windows 8.1 and Windows 10 and you would know this if you did some research since even Applocker is available in those versions, which makes configuration easier than using GPO.  

 

10 hours ago, straycat19 said:

Millions of people get phished, hacked, and attacked, but it doesn't happen on a network or PC where the person maintaining it is cognizant of the necessity for security beyond useless AV software and other archaic security instruments.  Security today requires technical expertise, research and testing, and collaboration with security officers of other organizations and institutions.  I could care less what happens to millions of idiots who have no clue on how to protect their systems.   And you are wrong in your comment that what I am saying doesn't apply on systems newer than Windows 7, it also applies on Windows 8.1 and Windows 10 and you would know this if you did some research since even Applocker is available in those versions, which makes configuration easier than using GPO.  

Pretty cocky my friend.  Agree diligence helps, and having a professional admin dedicated to the tasks increases security.  Still, I'll stick with the 1) backup-backup-backup (including o/site image archives) & 2) "never say never" rule my mama taught me. 

 

Appreciate you sharing your formidable knowledge, encourage you to keep it up and keep learning so you stay humble and don't get blindsided by hubris.

[straycat19]

What you see as cocky is actually over 40 years of experience in computers and security, either as a profession or a hobby, and sometimes both at the same time.  Nowhere will you ever see any post of mine that says you should never have a full daily backup, and if I didn't believe that I wouldn't have 19 NAS units at home.  I try to share those techniques that have been proven to be effective in stopping a system from being infected or hacked.  I never have been, nor will I ever be hacked, not that people haven't tried and been invited to try.  At one job, not related to computers, we use to trade computers at lunch time and compete hacking into each others systems, breaking passwords and other security features to gain access.  We did this daily for 4 years and in that time you learn a lot, and it helped me hone my computer skills and how I approached security solutions.  I took a university network that was experiencing  10-15 security incidents a day (hacked accounts, email or login; malware and virus infections) and in two years we were down to one in 90 days and when I left last year it was one in 6 months.

[vibranium]

1 hour ago, straycat19 said:

I never have been, nor will I ever be hacked, not that people haven't tried and been invited to try.

 

That sounds impressive. I hope your record holds!

 

23 hours ago, straycat19 said:

Since the release of Windows 7, the system was changed to put the temp files in the Appdata folder.  Regardless of the operating system if you block anything from running from it then 99% of all malware will not be able to run on a system, and with just a modicum of common sense that can easily be increased to a guaranteed 100%.

 

In a typical computer many legitimate programs could run from appdata. It's tough to lock it down without breaking something. This approach is strictly for IT admins only.

[Holmes]

I completely agree I downloaded cryptoprevent and stopped using it I download some items to the folder it was blocking and thought it was being to strict.  For your information that univercity network had weak it management I think.  I think anybody with the correct amount of experience can pull that off as long as they know what there doing.  Its not what he sees its what he perceives and Im sure some users on this forum perceive the exact same object you do sound cocky.  You say you cant be hacked I may not be able to hack you my friend could if he set his mind to it easily your not afraid of that you have redundant backups in place if something goes wrong you restore and you have that honeypot (decoy) as you mentioned you havve alot of safely guards in place and you really can sit back and be comfortable with what you got and with what could happen and that by itself can make anyone cocky.  As for the ransomware its not new like stray said technically the attack vector is the only part that is new.