Happy 2016, and here's the year's first ransomware story A security researcher reckons he's spotted the first example of JavaScript-based ransomware-as-a-service, dubbing it Ransom32. Emsisoft's Fabian Wosar writes here that embedded in a self-extracting WinRAR archive is an NW.js-packaged application that does the heavy lifting for the ransomware. NW.js, Wosar notes, is a …
Yep, that's just the thing that would make me shudder in my shoes - the sterling use and command of the english language. The least the turds could do is run it though a spell/thesaurs checker. Or are they so poor they need to charge $35 a pop to buy one. They're free you know.
Sad, I used to be impressed by these losers' ability, but today, they're still just losers with an L shape on their foreheads. Sigh.
> Sad, I used to be impressed by these losers' ability,
Well I'm impressed. I'm so impressed I wish to impress my impressions with my impressive masonry maul upon their unmentionables...
This is (one of the myriad of reasons) why we can't have nice things.
"Yep, that's just the thing that would make me shudder in my shoes - the sterling use and command of the english language. The least the turds could do is run it though a spell/thesaurs checker. Or are they so poor they need to charge $35 a pop to buy one. They're free you know."
apparently you are not familiar with the "The Adventures of Buckaroo Banzai Across the 8th Dimension" (aka Buckaroo Banzai staring Peter Weller) movie or the old "Zero Wing" game...
"Sad, I used to be impressed by these losers' ability, but today, they're still just losers with an L shape on their foreheads. Sigh."
their abilities and antics are impressive but they've always had that 'L' tattooed on their foreheads simply because they are not using their talents for good... but that depends on one's definition of "good"... one good thing they are doing is showing how insecure and ill-written/untested the code is that is so widespread in today's worlds... especially when it shows that security is added as an afterthought instead of starting with security first and then implementing proper access...
Whats needed is group of white hats to code something similar, but it doesn't demand money or destroy files.
It makes people go through all the hoops they would have to if they had fallen foul of a genuine ransomware scam but doesnt destroy data. Just scares the bejesus out of them. I bet you a LOT of people would suddenly wake up and copy all their pictures etc onto an offline removable disk...
That's what ransomware used to look like (presumably not made by whitehats though). Started with FakeAV that made your computer (well, current account) unusable because everything was "infected" (in reality it was just running from HKCU Run and terminating all windows that opened; trivial to remove) and then came the "police lockers"...
Whats needed is group of white hats to code something similar, but it doesn't demand money or destroy files.
If you think that's [or "thats", I guess; are we suffering from an apostrophe shortage?] something we need, there's no call for "a group of white hats" to write it. Just take any of the many ransomware programs available, and hack a button to run the decryption sequence into the ransom message dialog.
Ransomware1 already has all the necessary features.
Personally, I don't think it'd do any good. People are already broadly aware of the existence of malware. They don't take many precautions against it for the same reason that they don't change the batteries in their smoke detectors, or get their fire extinguishers recharged, or drive more cautiously, or get more exercise: it's hard for people to devote resources to a threat that's not present. We're just not psychologically inclined to do it.
1I keep typing "ransomeware". Too many years of writing about Arthur Ransome, clearly.
This post has been deleted by its author
Some tiresome spelling Nazi will be along shortly
Hey hey HEY. Not "spelling Nazi". Nothing wrong with the spelling of "anymore". Usage Nazi.
(Your everyday usage Nazi may be tiresome, but I try to be an especially pedantic usage Nazi every day.)
Not clear in the report if this runs only in memory or is actually installed. I would think the NW.js framework would need to be installed which hopefully triggers an install alert.
Judging from the file extensions it appears to target common video, audio, photo, and MS Office formats. It does not appear to target RAW photo files or ODF formats currently according to the report.
"Once Ransom32 arrives on a system and is executed, it will first unpack all its files into the temporary files folder. ..."
But how does it first get executed? Did someone mention that? Is it still possible to convince people to do a multi-step footgun?
(BTW: oh the pain of finding out your company name can get misread as 'emesis'. Heck, they may pronounce it that way without realizing...)
Fuck 'em all. First, anyone relying on Javascript for a desktop app deserves far worse than this ransomware (drawn & quartered, or similar taste). Second, any l33t h4x0r that wants to encrypt my "personal" files can do so any time, since I'm not daft enough to hang around without proper backups (and backups of backups), i.e. not just some Dropbox with auto-sync. I wouldn't even bother with this shite if it were to rear its ugly head.
Personally, I do feel for those who trust all this Web 2.0 crossover bullshit. Sure as shit this kind of thing was never possible when using Vim and Pine.
This post has been deleted by its author
OK, did a little research which took a bit longer than I thought it would to answer one important question, how do you get infected. I was afraid it would be a drive by type in which case we are
all potentially screwed.
No, apparently at this time its distributed via email and also happens to be quite large in size,
about 32 mb. I'm guessing that most modern anti-virus programs will quickly catch on to these
attached files and cut down on the problem.
Thus relying on the tried-and-trusted clueless idiot who clicks on everything without even wondering why he was sent an executable in the first place - if said idiot even knows what an executable is. Well, users need to learn to not open everything they see in front of them, and if losing their personal files is the price, then I'm all for it. Maybe after the initial panic attack they'll realize the error of their ways and correct it (yeah, right).
Personally I would prefer a drive-by attack, since I personally use NoScript so wouldn't be at risk and Google would most likely quickly catch on to the infection and alert its users, rendering the attack next to moot.
But of course that is the very reason it is not a drive-by.
Maybe I'm cynical, but users seem to only want their data restored, in full previous glory (ie filenames and directory structure) otherwise faced with having to sort the files manually suddenly those photos/docs suddenly don't matter anymore.
So most users reaction to data loss is "can I has it all back, with no effort on my part? If not, GTFO"
I think I've had maybe two personal users out of about fifty who after having *all* their data recovered actually bothered to go through and re-name and re-use the files. Another dozen used something like picasso to sort them, and the rest just lived with it.
The ones who just wanted a particular piece of data did always use it. But most of those I signed a NDA with. These are very special NDAs that can only be written on twenty pound notes and can involve a lot of legalese....
"the tried-and-trusted clueless idiot who clicks on everything without even wondering why he was sent an executable in the first place"
The person at a previous workplace who opened an executable attachment 'from' himself that he knew he hadn't sent, but "wanted to see what it was" ended up as the boss.
Clearly it's a 'are you fit for management' test.
<quote>Thus relying on the tried-and-trusted clueless idiot mangler who clicks on everything without even wondering why he was sent an executable in the first place - if said idiot mangler even knows what an executable is. </quote>
FTFY!!!
and, too often it IS the case!!!!
I'd like more information about that. What exaclty is NW.js? What exactily is JS sandboxing? Am I right that server-side implementations of JS allow "interaction with the underlying operating system,", and that this malware includes/installs a server-side implementation of JS?
"What exaclty [sic] is NW.js?"
Well, you could try entering it into Google, which would bring you as the first hit:
http://nwjs.io/
"What exactily [sic] is JS sandboxing?"
It's the limited execution environment provided to Javascript code running in a web browser. For example, it cannot access other web pages you have open, nor open connections to websites other than the one you are viewing, nor read/write files on the host filesystem.
Plenty more info is available on the web, e.g.
http://www.howtocreate.co.uk/tutorials/javascript/security
The important thing here is that nw is itself an executable (e.g. under Windows you run nw.exe), which in turn pops open local HTML windows and interprets and runs the javascript code.
http://docs.nwjs.io/en/latest/For%20Users/Package%20and%20Distribute/
http://docs.nwjs.io/en/latest/For%20Users/Advanced/Security%20in%20NW.js/
This gives you a way of writing local apps but using HTML+CSS+Javascript instead of VB or C# or whatever. "JS Sandboxing" doesn't come into play because this is a local executable.
So really this is no different to any other attack where someone downloads an executable and runs it. The fact it uses Javascript and node.js internally is a bit of a red herring. This attack could just as well be written in BASIC and bundled with a BASIC interpreter.
Funny that they went through that bother instead of simply using Windows Script Host, which lets you do uhm, anything, from JS or VBS (anyone remember ILOVEYOU?) when executed from the local filesystem.
Guess that wasn't Web 2.0 enough...
This post has been deleted by its author
Readers always have at least two choices: (1) Assume that the poster is an idiot, and too lazy to use google, or (2) Assume that the poster is not an idiot, and is not too lazy to use google.
If your assumption is (1), you can seize the opportunity to post a few worthless lines that don't tell anyone anything useful.
If your assumption is (2), you have the opportunity to editorialise, and create a concise summary of what you think are the important and relevant points, thus adding value to an area where someone has suggested that added value would be valued. Image that your reader reads The Register for information, and take it from there.
The poster above gets 6/10 for posting the information that nw.exe is an executable. That information was not in the article, and not abvious from googling NW.js.
That poster gets no extra points for describing sandboxing. Extra points would have been awarded for explaning for explaining the relationship between JS and sandboxing. That is, for delineating why the author of the article thought sandboxing was a native characteristic of JS.
"It's the limited execution environment provided to Javascript code running in a web browser."
Not sure how much clearer that could be.
Javascript is a programming language. When used inside a web page, it has to be given a limited execution environment to protect the user against malicious web pages. Those pages may download and run arbitrary Javascript code that the user does not know or trust, every time you click a link.
When used standalone, running code entirely of the user's choice rather than implictly running code from the web, then sandboxing is no longer relevant. It's just another local programming language.
node.js and spidermonkey are two examples of running Javascript outside a web browser environment.
nw.exe is a bit odd, in that it uses web technologies (HTML, CSS, forms and javascript) to pop up windows and interact with the user, but it's still running outside a browser and is running only code which the user has chosen to run.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
