RAA Ransomware Composed Entirely of JavaScript

Toggle sidebar Toggle sidebar
PliotronX

PliotronX

Diamond Member
Oct 17, 1999
8,883
107
106
I can see the dialog box now, "please update Java to 'protect' your files."

(Lapsed that it was js nevermind...)
 
Last edited:
T

TheRyuu

Diamond Member
Dec 3, 2005
5,479
14
81
The Hacker News discussion has more details about this[1]. And specifically on the internals of this[2]:
fny said:
For those who are interested in the guts of this, you can find the beautified code on Github[0] and a detailed breakdown here[1].

In short, Windows completely exposes its filesystem through ActiveX and WScript, skipping the need to package Node for filesystem access. Then bundle native JS crypto along with some nasty string-encoded binaries, and you've got everything you need to hold a PC hostage.

Makes me wonder if there's a way to commit such evils with AppleScript and/or JavaScriptCore...

[0]: https://gist.github.com/Antelox/020c727e1917bd018441cb6425cae397
[1]: https://reaqta.com/2016/06/raa-ransomware-delivering-pony/
Click to expand...

Further discussion on the viability of this actually infecting a system[3]:
toyg said:
Not "completely", there are ways to disable this sort of thing with AD policies. This corner of Windows has been de-emphasized ever since the "security push" of XPsp2, and it's all but been replaced by Powershell. Microsoft being Microsoft, they have not completely removed cscript.exe for compatibility reasons but they'll likely do it at some point.

In fact, I bet this "exploit" doesn't work on a properly-secured box with UAC on where a user is not running as a local admin, at least not for the part about Volume Shadow Copy.

It's a shame because I personally like CScript/WScript, it's the little scripting engine that could. Unfortunately, the Windows security model is too haphazard to let something like this free to run.
Click to expand...

Provided that this is actually correct then even if you've only taken basic precautions with the security setup of your current system it should still be pretty safe from this. I'm not sure what exactly was going on with the word documents that were being used to spread this. Perhaps another exploit was being used in conjunction with the ransomeware (escalation of privilege).

[1] https://news.ycombinator.com/item?id=11934717
[2] https://news.ycombinator.com/item?id=11935105
[3] https://news.ycombinator.com/item?id=11936966
 
Last edited:
John Connor

John Connor

Lifer
Nov 30, 2012
22,757
618
121
+1 for VooDoo Shield or other OS sandbox software. If delivered through the browser I have NoScript and Sandboxie to deal with that.

In today's day in age I think all anti-virus software should offer an OS sandbox environment.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom