Cyber Security

This New Ransomware Is Even Harder To Detect

Never open attachments from strangers. Really, just never do it

Cyber Security
Illustration: R. A. Di Ieso
Jun 23, 2016 at 1:01 PM ET

Researchers say that criminals who create ransomware—that ever-evolving plague locking computers unless their owners pay up—can now write as pure JavaScript, making it easier to fool unsuspecting users.

Ransomware, which costs some states hundreds of thousands of dollars each year and is only becoming more widespread, varies enormously in how it’s deployed. The end result, though, is always an attempt to encrypt a computer’s files, plus a promise that the only way get them back is to pay a bounty to the hacker behind it. Often, ransomware arrives via email, and installs itself when the recipient opens an attachment, which could be a malicious executable file, a type of virus, or even a Microsoft Word doc containing a macro—basically a script that can be run within Microsoft, but which can be programmed to operate maliciously outside of Word. 

But researchers at cybersecurity company Sophos have announced a new type of ransomware, dubbed JS/Ransom-DDL. It comes written purely in JavaScript—a programming language best known for basic interactive features in websites—instead of, as previously observed types do, using JavaScript to call ransomware from an outside server to install onto a computer.

This is particularly dangerous for Windows users. Windows’s default mode doesn’t automatically show a javascript extension, so a file named “ransomware.doc.js” will simply appear to the user as titled “ransomware.doc,” and thus appear to be a document rather than a program.

As is often the case with malware, though, JS/Ransom-DDL does require user carelessness. JavaScript programs can appear to Windows users to be a sort of document, but users still need to actually open that program. “Windows users need to open the attachment (typically a zip) with the JavaScript inside,” Mark Loman, a researcher at SurfLight who contributed to Sophos’s report. “The icon of the JavaScript file looks like a scroll, so people could believe it’s a document.”

Though it may seem obvious that you shouldn’t open even a document emailed to you by either a stranger or someone whose email seems suspicious, email phishing is still a devastatingly effective practice. In a 2015 survey that showed 10 suspicious emails to 19,000 subjects, only 3 percent of them correctly identified each of the phishing attempts.