Ransom32

One example of the Ransom32 variant. Image Source: Emsisoft

One example of the Ransom32 variant.

Image Source: Emsisoft

Ransom32 currently targets Windows but can easily be repackaged to affect Mac and Linux operating systems as it is based on JavaScript. It uses the NW.js (formerly node-webkit) framework designed for web and desktop applications to infect victims and spreads via spam containing a malicious compressed 32 MB RAR file. Once a system is infected, Ransom32 creates a shortcut named “ChromeService” in the Startup folder to maintain persistence. After using Tor to establish a connection to its C2 server, it exchanges keys, encrypts the victim’s files using AES-128, and displays a ransom note. Ransom32 is part of a “ransomware-as-a-service” campaign and its creators offer customized versions for a 25 percent cut of the profits.

  • Emsisoft provides more information about Ransom32, found here.
     
  • The NJCCIC is not aware of any decryption tools available for Ransom32.