FANDOM


Ransom32 is a ransomware that uses uses the NW.js platform that allows developers to create native applications for Linux , MacOS , and Microsoft Windows . It was first reported by users in BleepingComputer's forums. It's affiliate service was discovered by Fabian Wosar of Emsisoft and Security Researcher xXToffeeXx. It is the first ransomware that was written entirely in Javascript, HTML, and CSS.

Payload

Transmission

Ransom32 is distributed through email spam and malicious attachments. A malicious file is placed inside a letter disguised as an unpaid invoice, delivery notification, etc.

Infection

When this executable is ran, it will extract numerous files into the C:\Users\User\AppData\Roaming\Chrome Browser folder and creates a shortcut in the Start Menu's Startup Folder called ChromeService so that the ransomware starts at login.  The shortcut points to a chrome.exe executable that is actually a NW.js package that contains Javascript code that will encrypt the victim's data and then display a ransom note.

The files extracted into the Chome Browser folder are:

  • chrome - The Chromium license agreement.
  • chrome.exe - This is the main executable for the malware and is a packaged NW.js application bundled with Chromium.
  • ffmpegsumo.dll - HTML5 video decoder DLL that is bundled with Chromium.
  • g - The settings file that contains various information used by the malware. This information includes the affiliate's ransom amount, bitcoin address that they receive payments on, and error message that is shown in a messagebox if the Show a message Box setting was enabled.
  • icudtl.dat - File used by Chromium
  • locales - Folder containing various language packs used by Chrome.
  • msgbox.vbs - The messagebox displayed if the affiliate enabled the Show a message Box setting.
  • nw.pak - Required for the NW.JS platform.
  • rundll32.exe - Renamed TOR executable so that the malware can communicate with the TOR Command and Control server.
  • s.exe - Renamed Shortcut.exe from OptimumX. This is a legitimate program used by the malware to create the ChromeService shortcut in the Startup folder.
  • u.vbs - A VBS script that deletes a specified folder and its contents.

When encrypting the user's data, Ransom32 will target only specific file extensions and encrypt them using AES encryption. The targeted file extensions are:

.3dm, .3g2, .3gp, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, 
.asp, .asx, .avi, .bmp .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, 
.docm, .docx, .dot, .dotm, .dotx, .dwg,. dxf, .efx, .eps, .fla, .flv, .*game*, .gif, 
.grle, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, 
.m3u, .m3u8, .m4u, .max, .mdb, .mid, .*mlx*, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, 
.msg .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, 
.ppsm, .ppsx, .ppt, .pptm,. pptx, .prel, .prproj, .ps, .psd, .ra, .raw, .rb, .rtf, 
.*sav*, .sdf, .ses, .sldm, .sldx, .*slot*, .*spv*, .sql, .sv5, .svg, .swf, .tif, .txt, 
.vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls , .xlsb, 
.xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx

Ransom32 uses wild cards in the targeted file extensions. This allows the program to to target a greater variety of extensions. For example, with the .*sav* extension, not only will .sav files be targeted, but also files ending with .save, .gamesave, or .mysaves will be encrypted as well.  When encrypting data files, it does not rename a victim's files and will not encrypt any files located in the following folders:

windows
winnt
programdata
boot
temp
tmp
$recycle.bin

When it has finished encrypting the user's data, it will display the Ransom32 ransom lock screen/ransom note. The Ransom32 lock screen will display information that tells the victim what has happened to their files, how to pay the ransom, the ransom amount, and the bitcoin address a ransom payment is sent to. The language used by the lock screen is shown in either English or Spanish, with the default appearing to be English. This screen allows the user to decrypt one file for free to prove that it can be done.

Community content is available under CC-BY-SA unless otherwise noted.