New Ransomware Streamlines Attacks With JavaScript

A new form of ransomware has emerged that tries to evade security protections by carrying out all its operations using the JavaScript scripting language, according to computer security researchers.

The development is the latest in the rapidly expanding ransomware category, which has grown into a significant threat in recent months as criminals are attracted by lucrative payouts.

JavaScript ransomware

JavaScript email attachments have become more popular with attackers as users grow more wary of opening attached documents that may contain malicious macros, but most of these script attachments must still download executable code from a remote server, according to security firm Sophos.

A newly discovered variant called RAA, however, simplifies things by carrying out all the malicious operations using JavaScript itself.

“The JavaScript doesn’t download the ransomware, it is the ransomware,” wrote Sophos researcher Paul Ducklin in an advisory. “No additional software is downloaded, so once the JS/Ransom-DDL malware file is inside your network, it’s ready to scramble your data and pop up a ransom message all on its own.” He said RAA isn’t yet widespread.

The script arrives as an attachment called Invoice.txt.js, which appears as “invoice.txt” on most Windows systems, which are configured by default not to display file extensions.

If opened, JavaScript attachments of this kind execute by default in the Windows Script Host (WSH), which doesn’t impose any security restrictions, Ducklin said.

The technique is simpler than the most common method of infection, which involves the use of a Word document containing a malicious macro and attached to an email.

Macro danger

Once the document is opened, the attacker must also convince the user to turn macros on, since they’re not enabled by default in Windows. The macro must then download an executable file to carry out the malicious activity.

Those extra steps are no longer necessary with RAA’s JavaScript attachment, according to Ducklin, who noted that the JavaScript icon used in Windows resembles a document rather than a program.

“JavaScript is a general-purpose programming language,” he wrote. “It can be used for anything from modest scripts to full-blown applications.”

Once executed, RAA launches a decoy document in WordPad that displays a fake error message, while in the background fetching a unique identifier and encryption key from a remote server.

It then begins encrypting the user’s documents, before displaying a message demanding a ransom of 0.39 Bitcoins, or about £187, in exchange for unlocking the files.

Password stealer

RAA differs from other ransomware in another way, as well, in that after unlocking a system it installs a password-stealing program for good measure.

“The ransomware in this case might itself be intended as a sort of decoy, to distract you from the fact that you’ll still be infected with the password stealing component,” Ducklin wrote.

Freedom of Information Act (FOI) requests published last week by security firm Avecto found that at least 30 percent of UK local councils had been affected by at least one ransomware attack during 2015, with one council hit by 13 separate attacks. Sixty-five percent of those affected said they had not paid a ransom.

Are you a security pro? Try our quiz!