Javascript and Ransomware: What’s the Connection?

A decade or two ago, the hacking community consisted mostly of a bunch of bored teenagers, with scant few high-level hackers capable of penetrating enterprise-grade security. For every Kevin Poulsen, you would find thousands of pimple-faced high school juniors hiding in their parents’ basements killing time until their application to MIT got accepted. That is no longer the case. Even the unfunded amateur hackers today can get access to sophisticated hacking tools for relatively little money on the Dark Web. That speaks nothing of the well-funded, highly-motivated, surprisingly sophisticated attackers backed by international organizations — sometimes even government entities — who are paid big bucks to attack your enterprise, steal the data, corrupt your databases, and generally wreak havoc on your business. Hence, the phenomenon of ransomware, which can now be carried out using a very common and seemingly harmless JavaScript framework. Here’s how it works.

What is Ransomware?

Ransomware is malware that is specifically designed to hijack a computer system or data store and hold it hostage (inaccessible and un-retrievable to the users) until they pay a ransom. The ransom demanded can soar upwards of tens of thousands of dollars, though for smaller businesses it is often only a few hundred or thousand dollars. The ransom is usually demanded to be paid in bitcoins, a popular cryptocurrency. If the ransom isn’t paid, the hacker might release sensitive data about your organization on the Internet, corrupt your databases so the data is useless, or make off with your customer information (which customers aren’t usually thrilled about). Ransomware not only damages the company monetarily through loss of revenue during the attack and the cost of the ransom, it also damages their corporate reputation, runs up extraordinary legal bills, and is a PR nightmare of the highest magnitude.

What is JavaScript?

JavaScript has long been associated with security risks, so it’s usually used to run code in a sandbox environment, meaning it is unable to access or compromise the underlying operating system or applications on the users’ machines. It’s used to develop Web-based routines, and can be found on many, many websites that your users access on any given day.

What is The Connection?

The malware behind ransomware encrypts the data, so that it is inaccessible to the user. Unless they pay up, the data is released publicly, deleted, or corrupted so that it is unusable.

Web developers have constructed a new JavaScript framework called NW.js, which was built to give developers more control and interactivity with the users’ machines. This framework has as much access to the user’s operating system as C++ code does, and to ordinary antivirus and antimalware software it looks just like any old Windows or Mac code, so it goes undetected by most security software, firewalls, etc.

Using the NW.js framework, hackers have developed a Ransomware-as-a-Service called Ransom32. That means that anyone who is willing to get their hands on the code via Torrent and the Dark Web can use this JavaScript framework to infect your users’ systems with ransomware. It’s just one of the many high-level tools available to today’s wanna-be hackers.

How to Protect Against Ransom32 and Other Cyber Attacks

Here’s your plan for keeping Ransom32 and other nefarious code out of your systems and network:

  • Update antivirus software, firmware, firewall settings, etc. regularly. As new threats (like Ransom32) are identified, developers of these products immediately release updates and patches to address the latest threats.
  • Educate users on how to avoid dangerous websites (gambling sites and others are notoriously dangerous), suspicious emails, and other threats that can deliver ransomware.
  • Get a complete network assessment to determine where your security gaps are and how to address those vulnerabilities. Request a meeting with a TTI cybersecurity expert today!

By Craig Badrick


Sign up for the TTI Newsletter