Ransomware in your inbox: the rise of malicious JavaScript attachments

27 April 2016
Comments Comments Off on Ransomware in your inbox: the rise of malicious JavaScript attachments
27 April 2016, Comments Comments Off on Ransomware in your inbox: the rise of malicious JavaScript attachments

Ransomware in your inbox: the rise of malicious JavaScript attachments


A bot, also known as zombie malware, usually sits quietly on your computer and waits for crooks to send it commands from afar, for example to deliver spam or to click on fraudulent ads.

RATs, or Remote Access Trojans, are similar to bots, but their main purpose is to keep out of sight while criminals dig around on your computer, stealing files or tapping into your webcam for their own creepy reasons.

Banking malware like Dridex also likes to go unnoticed, sneakily stealing your banking or email passwords so the crooks can raid your accounts.

But nothing quite grabs your attention like ransomware.

Ransomware generally strikes fast and hard, scrambling your files, keeping only one copy of the decryption key, and offering to let you buy your data back, typically for a few hundred dollars.

As we’ve explained before, the crooks responsible for ransomware sometimes make mistakes in how they do the encryption, so you can unscramble your files without paying up.

Unfortunately, the main families of ransomware we’ve seen in the past few months are Locky,TeslaCrypt and CryptoWall, and it’s as good as impossible to unscramble locked files without buying back the key from the criminals.

In other words, prevention is a lot better than cure.

You not only save yourself a big dollop of time and money, but also avoid having to negotiate with the crooks, which is an odious enough prospect even if you can afford the extortion payment.

How ransomware arrives

Ransomware, like any malware, can enter your network and infect your computer in many ways, including on USB devices, via booby-trapped websites, and even on the coat-tails of an existing malware infection.

(If you’re already infected with a RAT or a zombie, crooks can easily instruct your computer to download and install additional malware, such as ransomware.)

However, most ransomware these days arrives in some sort of email attachment, along with a message that encourages you to open the file and look at it.

Ransomware crooks have learned that keeping it simple works best, so they generally stick to messages that look unexceptionable to both home users and businesses.

Until the end of 2015, most of the ransomware enquiries received by Sophos involved emailscontaining Word documents.

We’ve encouraged you many times to take care with unsolicited document attachments, particularly those that ask you to enable a Microsoft Office feature called macros.

Macros are special programs that you can embed in Office files, making those files dangerous when received from untrusted senders.

The good news is that the effectiveness of malware that relies on Word macro programs seems to be falling.

More and more of you have become rightfully suspicious of documents that start by instructing you to turn on macros, which is the same as telling you to turn off an important security feature.

The bad news is that the crooks are increasingly turning to JavaScript attachments instead.

In the above sample emails, the attached ZIP files, when opened, contained files with the extension.JS, rather than document files such as .DOCs or .RTFs.

You probably know that JavaScript is used to write programs, and that untrusted programs can be dangerous.

Nevertheless, you’d be forgiven for assuming that the risk of opening a .JS attachment is smaller than opening a document and turning on macros.

After all, JavaScript inside email messages has been disabled by default for years in all major email programs, so emailed JavaScript ought to be safe.

And you open JavaScript from websites all the time in your browser, but the risk is mitigated by safeguards built into the browser itself.

Notably, a security feature known as the Same Origin Policy means that a .JS file in your browser can only download additional files from the website it came from – and in the case of JavaScript from an email, there is no associated website to connect back to.

Also, browser JavaScript is constrained to run only inside the browser, so it can’t read data from your hard disk, let alone write new files and then load them as Windows applications.

Unfortunately, once a .JS file has been saved to your hard disk, Windows will run it by default outsideyour browser, using a system component called WSH, short for Windows Script Host.

A standard system program called WScript.exe (or its companion, CScript.exe, for command-line scripts with no graphical interface) will load your script, feed it into WSH, and then run it with all the power that a regular executable program would enjoy.

[Source: Sophos Naked Security]

What next?

To find out more about how our 24/7 Monitoring and Managed IT Security can help protect you against such threats, please contact us today or call 01793 295000 to speak to a member of our team.


Comments are closed.