Nemucod Joins Growing List of Ransomware Using JavaScript to Infect Computers

The enormity of issues that have been presented to the computer security world due to the infiltration of ransomware is massive. Ransomware has taken the ranks as the most prolific type of malware we have encountered in the last couple of years. During the natural progression of malware, ransomware authors are evolving their threats and utilizing JavaScript and PHP to infect computers more effectively. The latest ransomware to employ such a method is Nemucod, which is a variant that once delivered the Nemucod dropper that can download additional malware onto an infected computer.

We recently reported on a case of RAA Ransomware using JavaScript to disguise itself so it may secretly infect computers and initialize its actions of encrypting data. Moreover, there have been other threats that use JavaScript for their infection processes, such as Ransom32 and JS.Crypto Ransomware.

The relentless efforts of Nemucod and other ransomware in utilizing JavaScript has afforded the malware a way to lock files, in addition to downloading and installing other malicious files and executables. Other aspects of Nemucod Ransomware discovered by researchers in its latest iteration is its ability to use PHP in conjunction with JavaScript, which is part of php files that it downloads that contain various dependencies.

The JavaScript coding of Nemucod initially ports a php file to a .exe file that contains the ransomware's malicious code that may scan an infected system's hard drive. From there, Nemucod will set sensitive folders aside and encrypt files with specific file extensions, such as .crypted.

Currently, Nemucod Ransomware is an effective threat that encrypts data. However, researchers believe that Nemucod's encryption process can be reverse engineered to unlock files that have been encrypted. However, there remains to be no decryptor outside of Nemucod's offered decryption key through its ransom notification instructions.

The commonality of Nemucod and other ransomware, despite it utilizing JavaScript and PHP, is that it still demands a substantial payment to unlock an infected computer. In fact, Nemucod asks that an amount of 0.3707 Bitcoin be paid, which equates to about $245usd. Following up to the Nemucod ransom notification, the threat's php file creates a text file that serves as the ransom notification and places it on the desktop of the infected system.

As ransomware continues to evolve, we are finding that older threats are made new again with upgraded functions and the newfound ability to utilize JavaScript. We suspect that we will continue to see the propagation of ransomware that utilizes JavaScript and PHP to uncover new functions and methods to evade initial detection or conduct their file encryption actions in a more efficient manner. Either way of JavaScript and PHP ransomware using new features, cybercrooks will be on the forefront of spreading such threats through their conventional methods, which are primarily through spam email attachments.