Crimeware services are nothing new. Criminals for years have advertised on the underground not only malware, but management services and support for banking Trojans, exploit kits and more.
The service also includes a management interface that allows the criminal to configure the messaging presented to the victim and how much ransom to demand. Through this same interface, they can also lock the infected computer, keep CPU usage low as files are encrypted, and control latent timeouts. The interface can also be used to track income statistics, including how many times the ransomware has been installed, how many victims paid, and how many were shown the lockscreen, and how much Bitcoin they’ve racked up.
The first Ransom32 infections were reported to BleepingComputer and analyzed by researchers at Emisoft. Researcher Fabio Wosar said the download is quite large (22 MB) compared to other ransomware. Wosar explained that Ransom32 arrives in a WinRAR archive and contains a number of files including a Chromium executable disguised to look like the Chrome browser, which is instead the NW.js application that contains the malware and framework required to run it, he said.
For now, the researchers believe that Ransom32 is confined to Windows, but certainly with some alterations, can become a cross-platform service.
The ransomware’s behavior is pretty typical to other similar malware. It comes bundled with Tor, which it uses to connect to the command and control server and the Bitcoin address where payments are to be sent. The crypto keys are also sent via this connection.
“What makes the Ransom32 RaaS so scary is that Javscript and HTML are cross-platform and run equally as well on Macs and Linux as they do in Windows,” said Lawrence Abrams of BleepingComputer. “This means that with some minor tweaks, the Ransom32 developers could easily make NW.js packages for Linux and Mac computer. Though there does not seem to be any indication that this is being done as of yet, doing so would be trivial. It is inevitable that ransomware will be created for operating systems other than Windows. Using a platform like NW.js just brings us one step closer.”