Since June of 2016, the world has been plagued by new variants of Locky ransomware that is based solely on JavaScript. This truly sucks because on Windows, JavaScript outside your browser runs in the Windows Script Host, which doesn't sandbox the script code; so it can do whatever it wants. Also, malware authors get access to already-built crypto APIs that makes their job much easier. This evolution has aided the spread of the malware even further than previously seen with other ransomware. In this talk, we will dissect the JS/Ransom-DDL malware and see how it works -- in terms of its installation, payload, command & control, encryption, obfuscation, etc., and even its evil attempt to install a secondary Trojan to steal passwords. Finally, we will try to come up with some practical countermeasures to help thwart it and its variants in the future.