All about Ransom32 RaaS

All about Ransom32 RaaS

Yes, a new ransomware variant has been spotted: Ransom32 RaaS.

Even though it doesn’t rename encrypted files, some call it a CryptoLocker successor because it is also an AES encryption.

However, Ransom32 is really in its own league as it is different from other ransomware variants in two very significant ways:

  1. Ransom32 is the first ransomware written in Javascript. It’s based on NW.js which allows you to develop regular desktop applications for Windows, Linux, and Mac using Javascript. This means that even though we’ve only seen Ransom32 in a Windows format, it could easily be packaged to impact Mac and Linux operating systems.
  2. Ransom 32 is also being offered as a Ransomware-as-a-Service (RaaS). Located on TOR, anyone can download and distribute his or her own copy of the ransomware. It’s very easy to join as an affiliate of this RaaS – all that’s needed is a bitcoin address.
join

Source: EMSISOFT’s Report on Ransom32

Once the attacker submits a bitcoin address, a console is revealed. It shows the statistics of the campaign, including payments made and systems infected. In addition, there are settings that can be configured, like how many bitcoins to demand and what messages should be displayed to victims.

Looking at the console below, the authors of Ransom32 are currently taking a 25% cut of the ransom profits.

console

Source: EMSISOFT’s Report on Ransom32

What happens during encryption?

Malware enters the system through the usual methods – phishing, running outdated software with known vulnerabilities, etc. As soon as it gets installed and launched, Ransom32 connects to a command-and-control server on TOR, displaying ransom note – see image below – as well as the bitcoin address, where victims are supposed to pay.

Keep in mind that during encryption, the victim’s computer will not slow down: Ransom32 will never consume more than 25% of the CPU resources.

Will paying the ransom decrypt files?

Yes. Another interesting and novel feature of Ransom32 is that there is a “proof of life” feature. Before you pay the ransom, the attacker proves to victims that after the ransom is paid, files can be decrypted (see affected file-types).

Ransom32 “offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption,” said malware researcher and CTO Fabian Wosar, “During this process the malware will send the encrypted AES key from the chosen file to the Command and control server and gets the decrypted per-file AES key back in return.”

proof

Source: EMSISOFT’s Report on Ransom32

Mitigation

Read our Complete Ransomware Guide for information on how to detect and mitigate this pesky problem.

File types targeted1

.jpg ,.jpeg ,.raw ,.tif ,.gif ,.png ,.bmp ,.3dm ,.max ,.accdb ,.db ,.dbf ,.mdb ,.pdb ,.sql ,.*sav* ,.*spv* ,.*grle* ,.*mlx* ,.*sv5* ,.*game* ,.*slot* ,.dwg ,.dxf ,.c ,.cpp ,.cs ,.h ,.php ,.asp ,.rb ,.java ,.jar ,.class ,.aaf ,.aep ,.aepx ,.plb ,.prel ,.prproj ,.aet ,.ppj ,.psd ,.indd ,.indl ,.indt ,.indb ,.inx ,.idml ,.pmd ,.xqx ,.xqx ,.ai ,.eps ,.ps ,.svg ,.swf ,.fla ,.as3 ,.as ,.txt ,.doc ,.dot ,.docx ,.docm ,.dotx ,.dotm ,.docb ,.rtf ,.wpd ,.wps ,.msg ,.pdf ,.xls ,.xlt ,.xlm ,.xlsx ,.xlsm ,.xltx ,.xltm ,.xlsb ,.xla ,.xlam ,.xll ,.xlw ,.ppt ,.pot ,.pps ,.pptx ,.pptm ,.potx ,.potm ,.ppam ,.ppsx ,.ppsm ,.sldx ,.sldm ,.wav ,.mp3 ,.aif ,.iff ,.m3u ,.m4u ,.mid ,.mpa ,.wma ,.ra ,.avi ,.mov ,.mp4 ,.3gp ,.mpeg ,.3g2 ,.asf ,.asx ,.flv ,.mpg ,.wmv ,.vob ,.m3u8 ,.csv ,.efx ,.sdf ,.vcf ,.xml ,.ses ,.dat

So far, Ransom32 won’t rename encrypted files and won’t encrypt a file in the following folders:

  • windows
  • winnt
  • programdata
  • boot
  • temp
  • tmp
  • $recycle.bin

To know if a client computer (or server) has been infected, you can take a look at the presence of these files:

%Temp%\nw3932_17475

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ChromeService.lnk

%AppData%\Chrome Browser\

%AppData%\Chrome Browser\.chrome\

%AppData%\Chrome Browser\.chrome\cached-certs

%AppData%\Chrome Browser\.chrome\cached-microdesc-consensus

%AppData%\Chrome Browser\.chrome\cached-microdescs

%AppData%\Chrome Browser\.chrome\cached-microdescs.new

%AppData%\Chrome Browser\.chrome\lock

%AppData%\Chrome Browser\.chrome\state

%AppData%\Chrome Browser\chrome

%AppData%\Chrome Browser\chrome.exe

%AppData%\Chrome Browser\ffmpegsumo.dll

%AppData%\Chrome Browser\g

%AppData%\Chrome Browser\icudtl.dat

%AppData%\Chrome Browser\locales\

%AppData%\Chrome Browser\msgbox.vbs

%AppData%\Chrome Browser\n.l

%AppData%\Chrome Browser\n.q

%AppData%\Chrome Browser\nw.pak

%AppData%\Chrome Browser\rundll32.exe

%AppData%\Chrome Browser\s.exe

%AppData%\Chrome Browser\u.vbs
1 http://www.bleepingcomputer.com/news/security/ransom32-is-the-first-ransomware-written-in-javascript/

Get the latest security news in your inbox.