Fabian Wosar of security firm Emsisoft explained in a blog post that Ransom32 can be signed up to on a Tor site using just a Bitcoin address to which the spoils will be sent—minus a 25% cut.
After signing up, users will be able to access a basic admin page—enabling them to see how many systems are infected; observe how much money has been collected; and tweak various settings for the ransomware.
These include how much BTC to request from victims, and whether to fully lock the computer or allow a victim to minimize the lock screen—enabling them to check whether their files are fully encrypted or not.
Ransom32 is a 22MB self-extracting RAR file, which weighs in at over 67MB when extracted. Once run, the executable creates a shortcut, ChromeService, which points to a chrome.exe package.
NW.js has several advantages.
As a legitimate framework it can fly in under the radar of traditional signature defenses, and could theoretically work with a few minor adjustments on Linux and Mac OS X systems, although it’s only been observed as a Windows threat thus far.
Once Ransom32 is executed and installed, it will connect to a C&C server on Tor, note the Bitcoin address to which the victim is told to pay the ransom, and display the blackmail message.
Encryption is AES-128 bit and the malware includes an option to decrypt one file to prove to the victim it can be done.
Wosar claimed that, when it comes to ransomware, “the best protection is a well-organized backup strategy.”
He added that security tools featuring behavioral analysis to complement traditional signature techniques are more likely to catch such advanced strains.
Photo © Sergey Tarasov