Ransomware created using only JavaScript discovered

News by Rene Millman

Security researchers have unearthed new ransomware that has been created only using JavaScript.

Security researchers have unearthed new ransomware that has been created only using JavaScript.

The researchers, known by their Twitter handles, @JAMES_MHT and @benkow_, has been dubbed RAA. While JavaScript doen't include advanced cryptography functions, the ransomware used instead the CryptoJS library so that AES encryption could be used to encrypt the files, according to reports from Bleeping Computer.

It is distributed via emails and attachments that disguise themselves as Word documents, using names such as mgJaXnwanxlS_doc_.js.   When the file is opened, the malware encrypts the computer and demands a ransom of $250 (0.39BTC) to unlock files.

The code runs via the Windows Script Host (WSH), which executes system commands allowing access to system utilities.

The JavaScript malware will also extract and install a password stealer known as Pony. This can steal passwords and other information from a PC. Hackers can use the information as reconnaissance.

RAA encrypts around 16 file types and the was initially discovered with a ransom note written in Russian.

The ransomware is not the first to use JavaScript. Emisoft security expert Fabian Wosar discovered Ransom32 in January but this was only coded in Node.js and distributed as an executable.

Ilia Kolochenko, CEO of High-Tech Bridge, told SC Magazine that we should first clearly distinguish between JavaScript executed within a browser context, which cannot access local files or run any executables by default, and JScript executed via Windows Script Host on a Desktop, which is similar to running an .exe file in terms of available functionalities.

“Malicious scripting files aimed to compromise a system and distributed via email attachment has existed for many years,” he said.

Kolochenko went on to say that, "I would recommend updating anti-spam rules - something we did at High-Tech Bridge years ago - and block any .js and other scripting attachments, same as .exe files. You should also restrict running scripting extensions, the same as executables, using Microsoft Software Restriction Policy mechanism."

Mark James, security specialist at ESET, told SCMagazineUK.com that there are many ways to protect against this type of threat that may include measures like disabling windows script host (WSH) or simply having rules set up to manage any attachments that contain .js files.

“As in most cases it's often about pre-empting the current threat vector and trying to take away the actual danger from the end user. Having policies in place to quarantine potential dangerous attachments for checking later is a great way to protect your very valuable data from user error or silly mistakes,” he added.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews