The signup to the ransomware is handled via a hidden server on the Tor network and it will require a Bitcoin address where the funds generated by the ransomware is to be sent. Now that’s not all, Ransom32 also has a full-fledged dashboard for attackers to check out the stats of their Ransomware and if people have paid out. The dashboard will also let you change the amount of Bitcoin, the malware will ask for and will also let the attackers show fake message boxes during installation of the malware.
How it works
Ransom32 is very different from other malware as it will come in the form of a 22MB large malware file as opposed to the other malware files which are usually lesser than 1 MB in size. The malware file, in essence, seems to be a WinRAR self-extracting archive and uses the script language implemented in WinRAR to automatically unpack and dump the content its user’s temporary file directory and thus eventually execute the “Chrome.exe” file in the archive.
The clever part of the malware is the “Chrome.exe” file which looks like the copy of the Chrome browser and the fact that it doesn’t feature a proper digital signature and version information are the tell-tale sign that the file is not the actual Chrome browser and a closer look will tell us that the file has been packaged by NW.js application.
Ransome32 can be packaged for both Linux and Mac OS X using the NW.js and being a legitimate framework and application, it will not get detected easily.
Read the full details on the Emsisoft blog.