Malware researchers at the anti-virus company Emisoft have uncovered a new "ransomware" package that encrypts the files of victims and demands payment to restore them. Dubbed Ransom32, the malicious code is different from CryptoWall and many other previous ransomware variants in two key ways: it was coded using JavaScript, and it’s being offered to would-be cybercriminals as a paid service.

In a blog post, Emisoft Chief Technology Officer Fabian Wosar described the malware and its Tor-based administrative Web interface. Users of the service log in with their Bitcoin wallet addresses; once they're connected, they can configure features of the malware "client" for the service such as the messages displayed to victims during the malware installation and how much to demand in ransom for encryption keys. They can also track the payments already made and how many systems have become infected.

The malware itself is based on NW.js, a framework based on Node.js that allows developers to write Windows applications in JavaScript. It is delivered, renamed as "chrome.exe," in a self-extracting archive along with a Tor client (renamed as "rundll32.exe") and a set of Visual Basic scripts used to display customized pop-up alert messages and perform some basic file manipulation. The malware is also packaged with a renamed version of the Optimum X Shortcut utility—software used to create and change Start menu items and desktop shortcuts. The entire payload is over 22 megabytes, which is huge in comparison to other crypto-ransomware packages.

Once installed, Ransom32 retrieves a 128-bit AES encryption key from the Tor command and control server and starts encrypting a wide range of user files: Office documents, other text document formats, PDFs, images, databases, e-mail message archives, videos and music, etc. It uses counter (CTR) block mode to generate a new key for each file. Each key is then encrypted using a public key from the command and control server and stored as part of the encrypted file.

Another novel feature of Ransom32 is a sort of "proof of life" capability that demonstrates to victims that their files can be retrieved. The malware "offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption," Wosar noted. "During this process the malware will send the encrypted AES key from the chosen file to the (command and control) server and gets the decrypted per-file AES key back in return."

While Ransom32 is Windows-specific, the use of JavaScript and Node.js means that it could potentially be applied to other operating systems with relatively minor modifications. And as ransomware matures, other "ransom as a service" malware packages are sure to join Ransom32. "Affiliate" ransomware packages such as Tox and the FABKEN team's Cryptolocker Service, both of which emerged late in 2015, are already offering inexpensive entry into digital extortion.