Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Ransom32: The first javascript ransomware SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Ransom32: The first javascript ransomware

We have all seen how ransomware is becoming a pretty common trend in cybercrimes. Well, there is a new variant and this one has been build using javascript. This malware fakes the NW.js framework. Once installed, connects to its C&C server on TOR network port 85 to get the bitcoin address and the crypto key used for encryption.

This trend is not new and we have seen how malware is being build more and more sophisticated to avoid being detected by any antimalware control at the endpoint. You have to integrate endpoint security with network security and correlate any possible alerts that might indicate an incident happening, like a computer being connected to TOR network.

More information at

Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
e-mail: msantand at isc dot sans dot org


Manuel Humberto Santander Pelaacuteez

194 Posts
ISC Handler
Jan 4th 2016
Who needs antimalware to fight such bloody trivial malware?
It's a self-extracting executable archive built with WinRAR, kids!
Someone has to run this self-extractor.
Fortunately Microsoft built SAFER alias Software Restriction Policies into (all! editions of) Windows more than 15 years ago, and hey, they also wrote some comprehensive guidance:,,, ...
Others chimed in:,,, ...

In practice, read and follow or

If you are still running an ancient Windows without SAFER: use NTFS ACLs, add an ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of files in this directory for everyone, inheritable to all files in all subdirectories" to each and every %USERPROFILE%
"Anonymous" above pretty much nailed that one. We do that as a group policy, and it cut out a lot of issues.

3 Posts

Sign Up for Free or Log In to start participating in the conversation!