New Ransomware Written Entirely In JavaScript

An anonymous reader writes: Security researchers have discovered a new form of ransomware written entirely in JavaScript and using the CryptoJS library to encode a user's files. Researchers say the file is being distributed through email attachments, according to SC Magazine, which reports that "Opening the attachment kicks off a series of steps that not only locks up the victim's files, but also downloads some additional malware onto the target computer. The attachment does not visibly do anything, but appears to the victim as a corrupted file. However, in fact it is busy doing its dirty work in the background. This includes deleting the Windows Volume Shadow Copy so the encrypted files cannot be recovered and the ransomware is set to run every time Windows starts up so it can capture any new information."
"It's a little bit unusual to see an actual piece of ransomware powered by a scripting language," one security executive tells the magazine, which suggests disabling e-mail attachments that contain a JavaScript file.

Re:Disabling attachments is not enough

[CaptainDork]

That will help, but a more effective strategy is to find the breaker box and flip them all off and stuff.

However, be aware that the FBI can, and does, monitor the water flowing up to your house for subtle vibrations caused by voices and footsteps.

They do the same thing with natural gas.

They even put vibration sensors on the cable, telephone, and electrical lines that physically attach to your home from that pole out there.

The only real solution is to move out.

They will know you did, though.

Re:

[jbmartin6]

Ransomware is a simple concept, other OSes are not immune to it. All it needs is some way to get the user to execute a script or binary.

very OLD to be first

[NotInHere]

https://it.slashdot.org/story/... [slashdot.org]

Sand fucking box

[ADRA]

Why do browsers and email programs have -any- access to anything? Sandbox the fuckers and call it a day. The fact that they aren't is a sign that companies aren't concerned enough about the problem.

Re:

[Anonymous Coward]

What you want is already available. Meet Apparmor. [wikipedia.org]

That people don't use the available tools is a separate problem. There are a range of things from apparmor to lightweight paravirtualizers like lxc [wikipedia.org]. The right place to address this isn't in every single individual tool like an emailer or web browser that can connect to the nextwork, it's in orthogonal tools to solve the problem in one place.

Do one thing, and do it well.

If people don't use the tools they have, that's not the fault of the tools.

Re:

[flyingfsck]

Dude, switch to http://www.slackware.com/ [slackware.com] and relax.

Re:

[F.Ultra]

Main problem is just that i.e the Apparmor profile for Firefox is disabled by default. This of course because users wants to be able to download and upload files to/from anywhere and not just to $HOME/Downloads (which also is problematic since that folder is named differently in non English locales).

Re:

[Eravnrekaree]

AppArmor is a bit of a pain in the ass since it is mostly a whitelist thing, when it might be better to be able to do something more like IPCHAINS. Currently it creates an allow set and then subtracts the entire deny set from the allow set. What is really needed is an ideny or inline deny type rule for ascending or descending precedence of allow and deny rules. Sometimes you might want to alternate permit and deny permissions in descending or ascending precedence. Believe me, lacking this makes it much hard

Re:

[Billly Gates]

Because at work the client and my coworkers will complain their Cisco secured mail which requires TLS 1.0 turned on! ... will not work without java and javascript with insecure encryption enabled for security apparently.

Re:

[The MAZZTer]

If the e-mail application cannot handle a particular file type, it needs to deliver it to an external application. Sandbox will not help since nothing is running inside of the e-mail application; you have to sandbox the user's chosen third-party app (good luck).

Okay but what executes js externally to mail?

[goombah99]

Surely Javascript gets sent to the browser. And doesn't the browser prevent it accessing the file system?

Re:

[stoborrobots]

HTML gets sent to the browser. Javascript gets sent to WScript.exe...

Re:

[hattig]

And so we get to the cause of the problem.

Windows and Microsoft.

Why isn't the downloaded file tagged as "downloaded from the internet". This seems to be a capability that Windows has.

Why doesn't wscript.exe look for that and refuse to run the script or run the script in a locked down sandbox. Although I guess Windows would just pop up a "Run this malware as administrator? Yes / Yes" UAC box anyway.

The sooner that operating systems containerise every application the better. Limit the damage - I'd rather eras

Re:

[cluening]

What if I want to attach a file to a piece of email?

Re:

[Lennie]

Not sure why you think this applies here.

This isn't automatically running Javascript inside the browser or the email program. This attack is about tricking the user in running an attachment.

Which means in this case it would use Windows Scripting Host to execute the Javascript (could have been VBscript as well). Could have been a Powershell file or whatever, exe-file, it doesn't matter.

Kind of expected they included an encryption library, if it's running in Windows Scripting Host they could probably just hav

Not as complex as you suggest

[dbIII]

This isn't automatically running Javascript inside the browser or the email program. This attack is about tricking the user in running an attachment.

Outlook not so good.
Clicking on the subject is enough to open the email and "helpfully" run the script via Internet Explorer.

Absolute fucking insanely bad software design is why we are living knee deep in a malware swamp beyond the dreams of bad science fiction.

Re:

[jbmartin6]

Windows can tag files based on their origin, in the metadata. They could maybe implement a 'restricted mode' for scripts downloaded from the Internet, or from emails. Of course, the user would probably just ignore or disable any warnings.

Re:

[axewolf]

no, it's a sign that they profit from delivering their customers to criminals

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jbmartin6]

It comes in as an attachment, once pulled from the email it is just like any other file.

Re:

[Bengie]

Believe it or not, but I like to download files off the Internet. Of course the browser could be designed in a way that downloads are a separate process that is heavily locked down to basic function. Possibly even creating a whitelist of which directory is can even access.

Re:

[Lisias]

Why do browsers and email programs have -any- access to anything? Sandbox the fuckers and call it a day. The fact that they aren't is a sign that companies aren't concerned enough about the problem.

You missed the point. They *ARE|* concerned about the problem: they need to keep it a problem, so they can sell a solution to corporations.

Believe me, they are deeply concerned about the survival of their business model.

technical literacy is lacking.

[Anonymous Coward]

What has it been, maybe three decades of this kind of thing? At some point, do we expect people to develop enough technical literacy to avoid this kind of problem?

Note that I'm not saying it is the user's fault. It is the fault of the people writing the ransomware, pure and simple. But it's like walking through the bad part of Philly at night flashing bling all over and being visibly drunk. Yes, it's the muggers fault when you get mugged... but it is still worth pointing out that maybe your choices made your risk be higher than it had to be.. That is not "victim blaming". It's victim helping.

Since malware has been around for a long time, it's pure wishful thinking to imagine it's going away any time soon. So, you have to protect yourself.

Running executable and/or scripted email attachments from NigerianPrice204@notmalware.ng or ThisIsBeckyFromAccounting@No.Really is not how you protect yourself. It's been 30+ years of this. The details change, but the problem remains. Maybe it's time for people to start learning.

Re:technical literacy is lacking.

[jbmartin6]

It's not always clear to the user what constitutes "Running executable and/or scripted email attachments", especially when the OS helpfully hides the extensions and allows assignment of arbitrary icons supplied by the attacker.

things change, things stay the same

[suxorzomg]

there are more and more internet users every day, not everyone knows not to open that .js email attachment

Another reason to hate javascript

[Quzak]

Can someone please just kill the damn shit already? Javascript has always been shit and will always be shit. People who write javascript are shit and will always be shit.

Re:

[Anonymous Coward]

Linux/osx is not dumb enough to make it easy to run an attached javascript file. It can be done, but those who knows how, also knows not to run any sw they get from strangers in the mail.

Seriously, nobody need ability to easily execute stuff that came in the mail. Especially not those who don't understand the implications. So it is not made easy.

Also, even when you succeed in tricking a linux user, the software can't reliably take over the machine. It may still ransom stuff in his account, but the infection

Re: Another reason to hate javascript

[jhoger]

Nothing to do with JavaScript. It might as well have been vbscript.

The problem is the MUA allowing you to launch executable Windows script host attachments.

Re:

[Oligonicella]

Hush. He's a nerd with an axe to grind against a certain language. Don't pop his delusional bubble.

Re:

[ArchieBunker]

Give it a few days. This is the last place I go to for actual news.

Re:

[93 Escort Wagon]

A Star Trek actor died, and there's no post?

Did you submit a story about it? That's how Slashdot works...

Re:

[ChunderDownunder]

Walter Koenig is alive and well.

But does it run on Linux?

[mspohr]

But does it run on Linux?
Looks like JScript (Windows only).

What is the point...

[mark-t]

... of doing something like this in JavaScript if it isn't even going to be cross platform?

Re:

[flyingfsck]

Write once, debug everywhere.

Squpid Q

[Travelsonic]

So ... stupid question, what's stopping people from obtaining the ransomware, and messing around with it, modifying it?

Re:

[account_deleted]

Comment removed based on user account deletion

We need to arrest all JavaScript developers

[Early Six Digit UID]

That's it, I'm calling for the arrest of *all* JavaScript developers. Haven't we suffered enough? Also we should arrest whoever did whatever they're talking about in this article because that sounds bad too.

Faulty software

[manu0601]

Either the mail client executes JS with access to full filesystem, or it passes it to the browser that does it.

Clearly there is a sin here: executing non trusted JS with filesystem access. What are the faulty softwares that do this? No names are given here.

FUD - Not Entirely True

[Anonymous Coward]

This isn't entirely true. The initial dropper uses Javascript. This dropper contains a second-stage in base64-encoded form. The initial dropper than loads the second-stage on the target machine. The second-stage is not in JavaScript, only wrapped in it. This is merely FUD.

Re:

[6Yankee]

Have these people ever actually written a stable piece of code they would be willing to stake their life or the life of a close relative on?????

If "mother-in-law" counts as a close relative...

Re:

[OrangeTide]

There is a hole in the sandbox. It only requires the user to save the file to disk and agree to run it locally.

Javascript is the new Emacs

[prasadsurve]

Will turn browser into an OS and Windows as a poorly debugged set of device drivers.

A new form of ransomware ..

[khz6955]

How does the marco run considering autorun macros were disable by default on Microsoft Word and how does the rest of it execute without the user providing the admin password. Sounds to me like a veersion of any old word macro virus.

Revisit synthesis

[John Allsup]

A long white back, for a PhD project, a guy named Alexia (or previously Henry, the name the thesis was submitted under) Massalin, wrote an OS kernel called Synthesis. The aim there was to improve efficiency by using runtime code synthesis. In the modern world, along with sandboxing using processes and memory protection, given that we now have LLVM, it would be worth someone exploring an OS where binaries are more akin to the LLVM representation (or some high level representation), and importantly, there is no static list of kernel syscalls: rather at install time, a list of required syscalls is compiled, and possibly custom versions synthesised so that the process is restricted, at the binary level, to what it can access. Something like that. If you look at the system calls a process makes, how many of the available ones does it use? And of the calls that modify files, or use network sockets, how much of the potential of those calls actually gets used? What I am suggesting is basically using LLVM to enforce something close to the principle of least authority at the kernel syscall level using code synthesis.

Re:

[Lisias]

They already tried that. It was J2ME - and each mobile builder locked the thing the way they could in order to protect their lawn.

On the Desktop, J2SE and J2EE tried something like that, but the outcry from the userbase that suddenly saw they poorly configured servers breaking down, even after years of advices about what would be coming killed the concept.

The security problems we have nowadays are not a technical problem. It's a human problem. "We" *WANT* things as we have nowadays.

Simple solution

[olahaye74]

A solution that would greatly reduce those kind of problems:

All installable programs should be only available thru a signed repository or store.
The only process able to install programs should be the Store application
No code should be allowed to execute if it hasn't been installed using the Store app.
All app should be sandboxed

That would solve tousand of security problem. But that would also break security software industry. Look at iOS and how many antimalware, antivirus and such exists? None. The process

Re:

[olahaye74]

One can imagin an open solution.
If I take the example of Linux, repositories could be signed by distro vendors, then SELinux could be configured to only allow the package manager to install software in system-tree. /opt or /usr/local could still be used by developpers for testing their app.
and (for linux at least), the enforcement could be disabled by experienced users.

Why the hell on widown, no software repository exists yet? We had a few attempts in the past like google updater, but all have disapeared si

Why is Ransomware the new thing?

[wardrich86]

I can't see that many people paying into it... I mean, if a criminal promised to give me X back if I payed them $Y, I'm not sure I'd trust them. Wouldn't it be more effective to create a worm that secretly installs some software to mine bitcoin for the author or something?

Disposable operating systems - landfills be damned

[OrangeTide]

We need a computer that can easily be discarded when it is too much trouble to clean, like plastic forks.

Good

[WOOFYGOOFY]

good, now websites will be forced to present a version of themselves which is still usable without JavaScript.

What did that poll say, a quarter of /. readers surf with JavaScriopt disabled by default. God knows I do.

Sad to say, at some point around 2013 it became less about what the web could do for me and more about what the web could do to me.