Thanks to Principal Researcher Fraser Howard of SophosLabs and Sophos Security Specialist Mike Yates for their help with this article.
RATs, or Remote Access Trojans, are similar to bots, but their main purpose is to keep out of sight while criminals dig around on your computer, stealing files or tapping into your webcam for their own creepy reasons.
Banking malware like Dridex also likes to go unnoticed, sneakily stealing your banking or email passwords so the crooks can raid your accounts.
But nothing quite grabs your attention like ransomware.
Ransomware generally strikes fast and hard, scrambling your files, keeping only one copy of the decryption key, and offering to let you buy your data back, typically for a few hundred dollars.
As we’ve explained before, the crooks responsible for ransomware sometimes make mistakes in how they do the encryption, so you can unscramble your files without paying up.
Unfortunately, the main families of ransomware we’ve seen in the past few months are Locky, TeslaCrypt and CryptoWall, and it’s as good as impossible to unscramble locked files without buying back the key from the criminals.
In other words, prevention is a lot better than cure.
You not only save yourself a big dollop of time and money, but also avoid having to negotiate with the crooks, which is an odious enough prospect even if you can afford the extortion payment.
How ransomware arrives
Ransomware, like any malware, can enter your network and infect your computer in many ways, including on USB devices, via booby-trapped websites, and even on the coat-tails of an existing malware infection.
However, most ransomware these days arrives in some sort of email attachment, along with a message that encourages you to open the file and look at it.
Ransomware crooks have learned that keeping it simple works best, so they generally stick to messages that look unexceptionable to both home users and businesses, like these recent examples:
Until the end of 2015, most of the ransomware enquiries received by Sophos involved emails containing Word documents.
We’ve encouraged you many times to take care with unsolicited document attachments, particularly those that ask you to enable a Microsoft Office feature called macros.
Macros are special programs that you can embed in Office files, making those files dangerous when received from untrusted senders.
The good news is that the effectiveness of malware that relies on Word macro programs seems to be falling.
More and more of you have become rightfully suspicious of documents that start by instructing you to turn on macros, which is the same as telling you to turn off an important security feature.
In the above sample emails, the attached ZIP files, when opened, contained files with the extension .JS, rather than document files such as .DOCs or .RTFs.
As you can see, the default Windows icon for scripts such as .JS files is a stylised scroll of paper, still crudely rendered at the low resolution of a decade or more ago.
That’s meant to reflect that scripts are written as plain old text, rather than compiled into illegible binary data like programs in C, C++ or Delphi.
As you can see in the bottom right of the screenshot above, the crooks often add a double extension to malware filenames, such as receipt.PDF.js.
When Windows suppresses the final extension, the second-last extension (which is really just part of the filename) gives the impression that the file is not what it seems, showing up simply as receipt.PDF.
Nevertheless, you’d be forgiven for assuming that the risk of opening a .JS attachment is smaller than opening a document and turning on macros.
Unfortunately, once a .JS file has been saved to your hard disk, Windows will run it by default outside your browser, using a system component called WSH, short for Windows Script Host.
A standard system program called WScript.exe (or its companion, CScript.exe, for command-line scripts with no graphical interface) will load your script, feed it into WSH, and then run it with all the power that a regular executable program would enjoy.
In the example below, taken from one of the attachments in the emails above, the lines containing calls to a special WSH function called WScript.CreateObject().
This WSH function allows the malware author to go way beyond what would be allowed in your browser.
The malware code creates network connections to a list of servers, requests and retrieves web content, and saves and runs a downloaded ransowmare executable:
Then the malware creates a file called DECRYPT.TXT to tell you how to buy back your scrambled files:
Given that .JS files are stored as plain text, you might imagine that dangerous code like the scripts above would be easy to spot.
Unfortunately, text programs are also easy for programs themselves to spit out.
This function allows you to use ASCII digits to represent characters, making it easy to hide text strings such as URLs, or to disguise program fragments that make suspicious calls to the WScript.CreateObject() function.)
You can use String.fromCharCode(34) to represent a double quote character (“), which is a handy trick when you need to include a quote mark inside a text string that is itself enclosed in double quotes.
One malware sample does it like this:
But the other two use completely different, though equally peculiar, ways of calling the same function:
What to do?
- To defend against ransomware in general, see our article How to stay protected against ransomware.
- To protect against misleading filenames, tell Explorer to show you files with their extensions. (See below.)
If you’re a Sophos customer, you can also protect against outside-the-browser script malware by blocking the Windows Script Host programs WScript.exe and CScript.exe. Use Sophos Endpoint Security’s Application Control feature to block Microsoft WSH Cscript and Microsoft WSH WScript under the application type Programming/Scripting tools.
HOW TO TELL EXPLORER TO OPEN .JS FILES WITH NOTEPAD
Right click on a .JS file and then click on: Open with | Choose another app | More apps ↓
Select Notepad and then turn on Always use this app to open .js files:
Note that this doesn’t disable the Windows Script Host altogether.
- Right click in Explorer and use Open with to launch it with the Script Host.
- Open a command prompt and run the script with wscript filename.js.
HOW TO TELL EXPLORER TO SHOW FILE EXTENSIONS
Click on the View menu and turn on the tick-box labelled File name extensions: