Pinterest Stumbleupon Whatsapp
Ads by Google

When new instances of the widely distributed Locky ransomware began to dry up around the end of May 2016, security researchers were certain we had not seen the last of the file-encrypting malware variant.

Lo and behold, they were right.

Since June 19th security experts have observed millions of malicious email messages sent with an attachment containing a new variant of the Locky ransomware. The evolution appears to have made the malware vastly more dangerous Beyond Your Computer: 5 Ways Ransomware Will Take You Captive in the Future Beyond Your Computer: 5 Ways Ransomware Will Take You Captive in the Future Ransomware is probably the nastiest malware out there, and the criminals using it are becoming more advanced, Here are five worrying things that could be taken hostage soon, including smart homes and smart cars. Read More , and are accompanied by an altered distribution tactic, spreading the infection further than previously seen.

It isn’t just the Locky ransomware worrying security researchers. There have already been other variants of Locky, and it appears distribution networks are ramping up “production” across the globe, with no particular targets in mind.

JavaScript Ransomware

2016 has seen a slight shift in malware distribution Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Read More . Internet users may only just be beginning to understand the extreme menace ransomware poses, but it has already begun to evolve, in order to remain under the radar for as long as possible.

JavaScript Ransomware File Flow

Ads by Google

And while malware utilizing well-known JavaScript frameworks are not uncommon, security professionals were overwhelmed with a deluge of malware in the first quarter of 2016 leading Eldon Sprickerhoff to state:

“Malware evolution seems to be as rapid and cutthroat as any jungle environment, where survival and propagation go hand in hand. Authors have frequently co-opted functionality from different malware strains into the next generation of code — regularly sampling the efficacy and profitability of each generation.”

The advent of ransomware coded in JavaScript presents a new challenge for users to attempt to avoid. Previously, if you accidentally downloaded, or were sent a malicious file, Windows would scan the file extension and decide whether or not this particular type of file poses a danger to your system.

For example, when you attempt to run an unknown .exe file, you’ll encounter this warning:

Windows Open File Warning Dialogue

There is no such default warning with JavaScript — the .js file extension — files, which has led to a massive number of users clicking without thinking, then being held for ransom.

Botnets and Spam Email

The vast majority of ransomware is sent via malicious emails, which in turn are sent in huge volumes through massive networks of infected computers, commonly referred to as a “botnet.”

The huge rise in Locky ransomware has been linked directly to the Necrus botnet, which saw an average of 50,000 IP addresses infected every 24 hours for several months. During observation (by Anubis Networks), infection rates remained steady, until March 28th when there was a huge surge, reaching 650,000 infections over a 24-hour period. Then, back to business as normal, albeit with a slowly dropping infection rate.

Necurs Botnet Infection Map

On June 1st, Necrus went quiet. Speculation as to why the botnet went quiet is slim, though much centered around the arrest of around 50 Russian hackers. However, the botnet resumed business later in the month (around the 19th June), sending the new Locky variant to millions of potential victims. You can see the current spread of the Necrus botnet in the above image – note how it avoids Russia?

The spam emails always contain an attachment, purporting to be an important document or archive sent from a trusted (but spoofed) account. Once the document is downloaded and accessed, it will automatically run an infected macro or other malicious script, and the encryption process begins.

Whether Locky, Dridex, CryptoLocker, or one of the myriad ransomware variants Viruses, Spyware, Malware, etc. Explained: Understanding Online Threats Viruses, Spyware, Malware, etc. Explained: Understanding Online Threats When you start to think about all the things that could go wrong when browsing the Internet, the web starts to look like a pretty scary place. Read More , spam email is still the choice delivery network for ransomware, plainly illustrating just how successful this method of delivery is.

New Challengers Appear: Bart and RAA

JavaScript malware isn’t the only menace Ransomware Keeps Growing - How Can You Protect Yourself? Ransomware Keeps Growing - How Can You Protect Yourself? Read More users will have to contend with in the coming months — although I do have another JavaScript tool to tell you about!

First up, the Bart infection leverages some pretty standard ransomware techniques, using a similar payment interface to Locky, and targeting a mainstream list of file extensions for encryption. However, there are a couple of key operational differences. While most ransomware need to dial home to a command and control server for the encryption green light, Bart has no such mechanism.

Bart Decryptor Purchase Interface

Instead, Brendan Griffin and Ronnie Tokazowski of Phishme believe Bart relies on a “distinct victim identifier to indicate to the threat actor what decryption key should be used to create the decryption application purported to be available to those victims who pay the ransom,” meaning even if the infected is rapidly disconnected from the Internet (before receiving the traditional command and control go-ahead), the ransomware will still encrypt the files.

There are two more things that sets Bart aside: its decryption asking price, and its specific choice of targets. It currently stands at 3BTC (bitcoin), which at the time of writing equates to just under $2000! As for a choice of targets, it is actually more who Bart doesn’t target. If Bart determines an installed user language of Russian, Ukrainian, or Belorussian, it will not deploy.

Bart Infections by Country

Second up, we have RAA, another ransomware variant developed entirely in JavaScript. What makes RAA interesting is its use of common JavaScript libraries. RAA is distributed through a malicious email network, as we see with most ransomware, and usually comes disguised as a Word document. When the file is executed, it generates a fake Word document which appears to be entirely corrupted. Instead, RAA scans the available drives to check for read and write access and, if successful, the Crypto-JS library to begin encrypting the user’s files.

To add insult to injury, RAA also bundles well-known password stealing program Pony, just to make sure you’re really, really screwed.

Controlling JavaScript Malware

Luckily, despite the obvious threat posed by JavaScript-based malware, we can mitigate the potential danger with some basic security controls in both our email accounts and our Office suites. I use Microsoft Office, so these tips will focus on those programs, but you should apply the same security principles to your whichever applications you use.

Disable Macros

First, you can disable macros from automatically running. A macro may contain code designed to automatically download and execute malware, without you realizing. I’ll show you how to do this in Microsoft Word 2016, but the process is relatively similar for all other Office programs How to Protect Yourself From Microsoft Word Malware How to Protect Yourself From Microsoft Word Malware Did you know that your computer can be infected by malicious Microsoft Office documents, or that you could be duped into enabling the settings they need to infect your computer? Read More .

Head to File > Options > Trust Centre > Trust Centre Settings. Under Macro Settings you have four options. I choose to Disable all macros with notification, so I can choose to run it if I am sure of the source. However, Microsoft advise selecting Disable all macros except digitally signed macros, in direct relation to the spread of the Locky ransomware.

Word 2016 Macro Settings

Show Extensions, Use Different Program

This isn’t entirely foolproof, but the combination of the two changes will perhaps save you from double-clicking the wrong file.

First, you need to enable file extensions within Windows, which are hidden by default.

In Windows 10, open an Explorer window, and head to the View tab. Check File name extensions.

In Windows 7, 8, or 8.1, head to Control Panel > Appearance and Personalization > Folder Options. Under the View tab, scroll down the Advanced settings until you spot Hide extensions for known file types.

show-hidden-files.png

If you accidentally download a malicious file disguised as something else, you should be able to spot the file extension before execution.

The second part of this involves changing the default program used to open JavaScript files. You see, when you engage with JavaScript within your browser, there are a number of barriers and frameworks in place to attempt to stop any malicious happenings from ravaging your system. Once you’re outside the sanctity of the browser and into the Windows shell, bad things can happen when that file executes.

Windows 10 JavaScript automatic application choice

Head to a .js file. If you don’t know where or how, enter *.js into the Windows Explorer search bar. Your window should populate with files akin to this:

Right-click a file and select Properties. At the moment our JavaScript file opens with Microsoft Windows Based Script Host. Scroll down until you find Notepad and press OK.

Double-Check

Microsoft Outlook doesn’t let you receive files of certain type. This includes both .exe and .js, and is to stop you inadvertently introducing malware to your computer. However, that doesn’t mean they cannot and will not slip through both other means. There are three extremely easy ways ransomware can be repackaged:

  • Using file compression: the malicious code can be archived, and is sent with a different file extension that doesn’t trigger Outlook’s integrated attachment blocking.
  • Rename the file: we frequently encounter malicious code disguised as another file type. As most of the world uses some form of office suite, document formats are extremely popular.
  • Using a shared server: this option is a little less likely, but malicious mail can be sent from a private FTP or secure SharePoint server if compromised. As the server would be whitelisted within Outlook, the attachment wouldn’t be picked up as malicious.

See here for a full list of which extensions Outlook blocks by default.

Constant Vigilance

I’m not going to lie. There is an omnipresent threat of malware when you’re online — but you don’t have to succumb to the pressure. Consider the sites you’re visiting, the accounts you’re signing up to, and the emails you’re receiving. And even though we know it is difficult for antivirus software to maintain pace with the dazzling array of malware variants churned out, downloading and updating an antivirus suite should absolutely form part of your system defense.

Have you been hit by ransomware? Did you get your files back? Which ransomware was it? Let us know what happened to you!

Image Credits: Necrus botnet infection map via malwaretech.com, Bart decryption interface and Current infections by country both via phishme.com

  1. Eddie G.
    July 8, 2016 at 2:21 am

    I find it amazing that people can be so easily fooled into clicking or opening everything that's sent to their PC, whether it comes in the form of an email, or a link, or anything else. The first rule? ALWAYS CHECK A FILE'S SOURCE, regardless of if it says its from your grandmother or your boss, either way, CALL, EMAIL, TEXT, or get in contact with the sender in SOME way to verify that its from the person it SAYS its from.
    Second? Even if it DOES come from a reliable source, speak to them and ASK them what the file contains, if they cannot describe it to you in detail? Don't open it. Not everyone who works for your company? has the company's best interests at heart. If possible and you're at home try to off-load the file onto another computer you have lying around that if compromised won't be detrimental to your job.
    And finally? listen people, its not hard to circumvent and avoid being infected by nasty ransomware, just try your best to only go to sites you know and trust. While browsing the web can be fun, and informative, don't just go clicking around all willy-nilly. Try avoiding homepage sites that are too "busy" with blinking, flashy things everywhere. (MSN....Yahoo....and a few others)....DuckDuckGo and Google are sites that have absolutely NO content on their hompages, so when you're searching for something you can do so without worrying about the pop-under that you MIGHT have clicked on when you were attempting to go to another site. Not everything that says "Click Here" should be clicked on, and for God's sake when downloading ANYTHING?....after download is complete, RUN A SCAN ON THE FILE.....TWICE or MORE! In this day and age you can NEVER be too careful, as evidenced by the person who's info was SUPPOSED to be under lock and key with LifeLock, but who....eventually found out that their info was out there in the "cloud" unprotected and free of charge!!
    And you can always protect your data by backing it up regularly to an external device...(external USB hard drives are available in 1TB...2TB..and even 3/4TB!!...so space isn't an issue, and price points drop eventually!) Everyone should be able to have access to their data at any time that THEY want, and if / when you get hit with ransomware?...all you have to do is wipe the machine (by re-installing the OS!) and put your files which have been backed up to the external device right back where they belong! Just my two cents.....

  2. Mike
    July 7, 2016 at 10:18 pm

    I use a sand-boxed email program,so I should be safe,or at least safer.

Leave a Reply

Your email address will not be published. Required fields are marked *