NW.js, previously known as Node-WebKit, is a combination of WebKit and Node.js. Node.js allows JavaScript to access the underlying operating system in much the same way as traditional languages, like C. Unlike traditional WebKit browser implementations that prevent web applications from accessing the underlying OS, NW.js has no such limitations.
NW.js is able to run on OS X, Windows, and Linux, making it comparable to other multi-OS frameworks, like .NET and Java. Normally, having a framework requirement would be the last thing malware would want considering it typically involves having the user install the framework in advance. Unlike .NET and Java, NW.js, is not bundled on most computers. According to Emsisoft’s Fabian Wosar, “The benefit of NW.js though is, that with all these other frameworks you need the ‘runtime’ installed on the system already. This can be the .NET framework or Mono in case of .NET or the Java Runtime in case of Java. NW.js has this neat way of packing the runtime and your NW.js into one single executable. So you don’t rely on the user having some kind of existing framework installed.” Ransom32 is the first known piece of malware to utilize NW.js. Mr. Wosar goes on to say that, “If there ever was like a successor of CryptoLocker from a cryptography point of view, this would be it.” This indicates that Ransom32 is not an amateur attempt, and, as such, will not be able to be decrypted.
Currently, Ransom32 is currently only spread through spam email campaigns, although other vectors will likely be adopted in the future. It was first detected on 19 December 2015, according to Mr. Wosar. Ransom32 is believed to have originated from a Ransomware-as-a-Service (RaaS) broker on the dark web. While this malware is only currently known to infect Windows PCs, we may be closer than ever to truly cross-platform ransomware.
CryptoPrevent blocks .js execution from protected locations and will protect against this threat.
