J003-Content-Javascript-ransomware_SQIf you’re lucky, you’ve only been hearing a lot about ransomware lately. If you’re not so lucky, you might have experienced it firsthand. Victims of this most insidious form of malware know how devastating it can be to find that suddenly all of your important data – from personal financial information to irreplaceable photos to mission-critical business documents – is inaccessible. It’s not gone (perhaps that would be less frustrating), but it’s sitting there on your drive, encrypted, and you don’t have the key to unlock it. This has been the reality for many ransomware victims and now there is a new type of ransomware to be on the lookout for, one of the nastiest yet.

Ransomware has been in existence for over two decades (the first was the AIDS Trojan in the late 1980s), but there has been an explosion of it in the last few years, and it’s gotten more sophisticated. There are two basic types. In the case of computer locker ransomware, your entire system is locked so you can’t log on. More commonly now, with crypto ransomware, the system is accessible but the data files are encrypted.

Unlike with many viruses and malware, which are often distributed “just for fun” (well, the attacker’s idea of fun), ransomware attackers are in it for the money. They basically hold your files hostage and demand payment, often in bitcoins. Those who do pay up sometimes get their data restored, and sometimes the bad guys take the money and run; they are, after all, criminals and not exactly trustworthy.

Ransomware targets both home users and businesses. Hospitals have been a favorite target recently, since attackers know their files often hold information that is vital to patient care and the healthcare institutions are more likely than some entities to pay the ransom rather than risk disastrous outcomes that could result in much more expensive lawsuits.

Ransomware attack vectors

Ransomware can infiltrate a computer in a number of different ways. Email attachments are a common method, and until recently macros in Word documents were a favorite way to infect unsuspecting victims’ machines. That caused many computer users to wise up and disable macros, and now the feature is turned off by default in Word, so ransomware authors had to adopt a new strategy. That brings us to the “latest and greatest” in malicious software: ransomware written in JavaScript.

Email is still a popular means of delivery, with the JavaScript attachments disguised as harmless text files. Because Windows doesn’t show file extensions by default (in my opinion, a bad design decision), a file named myfile.txt.js will appear to most users to be myfile.txt. The user clicks it, expecting to see a simple document open in Notepad, and instead runs the script that starts the malware infection process. The malware may open a “decoy” file in the text editor so the user won’t know anything out of the ordinary has happened until it’s too late.

The latest iteration of JavaScript ransomware is called RAA or JS/Ransom-DLL and it’s even more devious than earlier versions. Instead of running a script that connects to server to download an executable ransomware program as the Locky ransomware does, the JavaScript itself is the ransomware, and runs it in the Windows Scripting Host (WSH) environment, outside the web browser – which means the code isn’t sandboxed as scripts run in the browser are.

RAA does have to connect back to its server to get a key that it will use to encrypt the victim’s files. This is a random AES key that’s unique to each victim, so unlike with some early cryptoware, if one person pays up and gets the key, it won’t work on another victim’s files. Only after the files have all been encrypted does the malware reveal itself, in the form of a README file that tells you what happened and where to send money to free your files. The going rate is reportedly approximately $250 USD.

Whether to pay up is a personal or business decision, based on the importance or sensitivity of the lost files, whether you have intact backups, the amount of ransom demanded and whether you can afford it, and what the greater ramifications (such as lawsuits or lost business) might be if you fail to get the files back.

Be aware, though, that even if you pay and the ransomware authors decrypt your files, you should take steps to make sure additional malware isn’t left behind. RAA has been reported to install another Trojan that’s designed to steal your passwords. With these guys, the hits just keep on coming. Personally, I would recommend wiping the system completely after a ransomware infection and reinstalling the operating system.

How to prevent the Javascript ransomware

The good news is that if you haven’t been hit by ransomware yet, there are steps you can take to prevent it. First (and you should have done this the moment you set up your computer), configure Windows to show common file extensions. That’s a checkbox on the View menu in the Windows File Explorer ribbon. Most email clients block JavaScript from running inside messages, so simply not opening those .JS attachments will go a long way toward protecting you. Train users to avoid opening attachments unless they’re sure of what they’re getting.

Another thing you should already be doing is creating real-time backups and periodically saving backups offline (preferably off-site). Malware can’t encrypt files it can’t touch. Removing the malware (or preferably wiping the hard drive) and restoring your data from backups beats paying ransom and still having to wipe the system for fear there’s still malware on it.

Consider blocking scripting. You can use the file associations feature in Windows to have .JS files open in Notepad as harmless text files instead of running in WSH. How to do this depends on the OS version you’re using. Do a search for “Change file associations in Windows <your version>” to find instructions on the web. While you’re at it, don’t enable automatic running of macros. The default setting in recent versions of Word is disabled; leave it that way.

Keep your operating system and applications updated with the latest security patches. Use anti-malware software and keep the definitions up to date. Staying ahead of the malware writers and distributors is a full-time job these days, but being forewarned, informed and prepared is the key to avoiding victimization.