Actu
Ransomware that’s 100% pure JavaScript, no download required - expert comments
June 2016 by
Security researchers have discovered a new strain of ransomware coded entirely in Javascript, which could increase its chances of being activated. This new ransomware sample, dubbed RAA, isn’t widespread, but it’s quite the development as it doesn’t have JavaScript download the ransomware, it IS the ransomware.
Simon Crosby, CTO and co-founder at Bromium:
"The thousand-fold increase in crypto-malware highlights a profound change in the cyber-landscape. Financially motivated attackers have shifted from human- to machine-timescale breaches with guaranteed pay-outs. An attacker seeking to steal intellectual property, PII or payment card information needs to successfully breach and persist on one or more endpoints, carefully research the network, stealthily exfiltrate data, and finally process it to sell on the dark web. A lot of effort for an uncertain payout.
Crypto-malware changes everything:
· Every compromised device, whether company or personally owned, can be quickly monetised.
· If money isn’t the goal, using crypto malware to cripple a target for activist, political or military gain is quick, precise and lethal – and simpler and more effective than a messy kinetic weapon.
· An attacker can avoid the risk of post-breach detection or interrupted exfiltration, by simply leaving data in place but quietly encrypting it.
· The attacker maximises fear and impact by crippling access to data in a shocking way. For organisations whose missions depend on availability of computer systems, this is a nightmare.
· The attacker doesn’t have to decide what data is valuable. Encrypting all data forces the victim to decide. Being both fearful and unsure, the victim is very likely to pay up.
Machine timescale attacks can only be prevented using isolation - eliminating the opportunity for malware to encrypt any files of value or penetrate deeper into the network. Micro-virtualization has a 100% success rate against all crypto malware, even if delivered as JavaScript."
Troy Gill, Manager of Security Research at AppRiver:
How can organisations protect themselves from this threat? Is blocking Javascript a non-starter?
"For plenty of organisations blocking .js attachments is a very viable solution. Most modern spam filters should have the ability to do this very easily. Of course users that need to send that file type could find workarounds if the need arises. Of course for some organisations they may not like this option, if they are sending these around frequently but those organisations are the exception and not the rule."
Is it impossible to block?
"From an email filtering perspective, these are not impossible to block. Malware distributors routinely re-obfuscate these files to evade filtering. They do however require a combination of deep analysis, predictive rule creation and fast response times."
What other ways can organisations protect themselves from this threat?
"Of course utilising a secure spam filtering and web filtering solution can help prevent you from ever being exposed to this type of thing. Make sure that you do have the ability to ban the file type in email—and make sure you are doing so. Some organisations might also want to consider disabling Windows Script Host as it will prevent these scripts from running but this will cause issues for users that need to run scripts for legitimate reasons."
