First JavaScript ransomware, Ransom32 discovered

Previous Article

Firefox to allow vulnerable SHA-1 certificates temporarily

Next Article

Microsoft is helping to make future vehicles smarter than ever: CES 2016

1 Comment

  1. Current anti-malware research seems to indicate that the Ransom 32 client in your pix is what someone wanting to tailor the malware to their own tastes gets once they buy it from TOR’s .onion hidden service; according to Emsisoft’s Fabian Wosar (leading finder of this stuff), WinRAR is just the default format available to any buyer, but any kind of extracting file format can be used…can’t just firewall out WinRAR, and he further indicates disabling Java in browsers won’t work to stop infection; worse, it’s able to subvert Chrome and Linux native sandboxing while also able to make itself executable even w/o WINE; it appears to run encryption at low CPU usage to work around notice in Task Manager; it reaches out over port 85 (which again is just default) to make AES 128 encrypted connection to the main Ransom 32 server via TOR…but a firewall might miss blocking its outreach to TOR if it lets all TLS traffic out despite other settings; lastly, the malware can be delivered via emails, infected downloads, or otherwise, and at present it seems signature blocking is very tricky or sketchy.

    All I could find on this in re protection is of course always back up everything; other than that, the only prevention seems to be having a behavior blocker as good as or better than Emisioft’s, and then having enough technical skill to know what’s trying to connect to the internet from the innocuous-looking file your A/V throws warnings about. In other words, those such as TWC admins, security researchers, and me are very likely to be able to keep a stealth infection from connecting to TOR, but many more people won’t…especially in Linux where UFW (uncomplicated firewall) is the most common blocker yet doesn’t just throw GUI alerts out of the box.

    Hope this helps somehow, and look forward to TWC keeping us updated on progress towards stifling this threat on a macro scale. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *

7 + 8 =