Yes, a new ransomware variant has been spotted: Ransom32 RaaS.
However, Ransom32 is really in its own league as it is different from other ransomware variants in two very significant ways:
- Ransom 32 is also being offered as a Ransomware-as-a-Service (RaaS). Located on TOR, anyone can download and distribute his or her own copy of the ransomware. It’s very easy to join as an affiliate of this RaaS – all that’s needed is a bitcoin address.
Once the attacker submits a bitcoin address, a console is revealed. It shows the statistics of the campaign, including payments made and systems infected. In addition, there are settings that can be configured, like how many bitcoins to demand and what messages should be displayed to victims.
Looking at the console below, the authors of Ransom32 are currently taking a 25% cut of the ransom profits.
What happens during encryption?
Malware enters the system through the usual methods – phishing, running outdated software with known vulnerabilities, etc. As soon as it gets installed and launched, Ransom32 connects to a command-and-control server on TOR, displaying ransom note – see image below – as well as the bitcoin address, where victims are supposed to pay.
Keep in mind that during encryption, the victim’s computer will not slow down: Ransom32 will never consume more than 25% of the CPU resources.
Will paying the ransom decrypt files?
Yes. Another interesting and novel feature of Ransom32 is that there is a “proof of life” feature. Before you pay the ransom, the attacker proves to victims that after the ransom is paid, files can be decrypted (see affected file-types).
Ransom32 “offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption,” said malware researcher and CTO Fabian Wosar, “During this process the malware will send the encrypted AES key from the chosen file to the Command and control server and gets the decrypted per-file AES key back in return.”
Read our Complete Ransomware Guide for information on how to detect and mitigate this pesky problem.
File types targeted1
.jpg ,.jpeg ,.raw ,.tif ,.gif ,.png ,.bmp ,.3dm ,.max ,.accdb ,.db ,.dbf ,.mdb ,.pdb ,.sql ,.*sav* ,.*spv* ,.*grle* ,.*mlx* ,.*sv5* ,.*game* ,.*slot* ,.dwg ,.dxf ,.c ,.cpp ,.cs ,.h ,.php ,.asp ,.rb ,.java ,.jar ,.class ,.aaf ,.aep ,.aepx ,.plb ,.prel ,.prproj ,.aet ,.ppj ,.psd ,.indd ,.indl ,.indt ,.indb ,.inx ,.idml ,.pmd ,.xqx ,.xqx ,.ai ,.eps ,.ps ,.svg ,.swf ,.fla ,.as3 ,.as ,.txt ,.doc ,.dot ,.docx ,.docm ,.dotx ,.dotm ,.docb ,.rtf ,.wpd ,.wps ,.msg ,.pdf ,.xls ,.xlt ,.xlm ,.xlsx ,.xlsm ,.xltx ,.xltm ,.xlsb ,.xla ,.xlam ,.xll ,.xlw ,.ppt ,.pot ,.pps ,.pptx ,.pptm ,.potx ,.potm ,.ppam ,.ppsx ,.ppsm ,.sldx ,.sldm ,.wav ,.mp3 ,.aif ,.iff ,.m3u ,.m4u ,.mid ,.mpa ,.wma ,.ra ,.avi ,.mov ,.mp4 ,.3gp ,.mpeg ,.3g2 ,.asf ,.asx ,.flv ,.mpg ,.wmv ,.vob ,.m3u8 ,.csv ,.efx ,.sdf ,.vcf ,.xml ,.ses ,.dat
So far, Ransom32 won’t rename encrypted files and won’t encrypt a file in the following folders:
To know if a client computer (or server) has been infected, you can take a look at the presence of these files: