The SaaS model has been picking up the pace and is considered as one of the best platforms to conduct businesses, however, on the other hand, this has also given rise to a large number of malware writers and cyber crooks who are attempting to exploit this model for their own purpose. Ransomware as a service is more like a real world extortion wherein the attacker takes hijacks your system and will release it only once you pay the ransom. Ransom32 is a new kid on the block – and what makes it different is that it is the first JavaScript ransomware!
Ransom32 ransomware
The signup to the ransomware is handled via a hidden server on the Tor network and it will require a Bitcoin address where the funds generated by the ransomware is to be sent. Now that’s not all, Ransom32 also has a full-fledged dashboard for attackers to check out the stats of their Ransomware and if people have paid out. The dashboard will also let you change the amount of Bitcoin, the malware will ask for and will also let the attackers show fake message boxes during installation of the malware.
How it works
Ransom32 is very different from other malware as it will come in the form of a 22MB large malware file as opposed to the other malware files which are usually lesser than 1 MB in size. The malware file, in essence, seems to be a WinRAR self-extracting archive and uses the script language implemented in WinRAR to automatically unpack and dump the content its user’s temporary file directory and thus eventually execute the “Chrome.exe” file in the archive.
The clever part of the malware is the “Chrome.exe” file which looks like the copy of the Chrome browser and the fact that it doesn’t feature a proper digital signature and version information are the tell-tale sign that the file is not the actual Chrome browser and a closer look will tell us that the file has been packaged by NW.js application.
NW.js is actually a framework that facilitates developing of normal desktop applications for Windows, Linux and MacOS X by making use of JavaScript. Nw.js allows for increased degree of control over the operating system allowing it to do anything that a usual run of the mill programming language does.
Ransome32 can be packaged for both Linux and Mac OS X using the NW.js and being a legitimate framework and application, it will not get detected easily.
Read the full details on the Emsisoft blog.
Current anti-malware research seems to indicate that the Ransom 32 client in your pix is what someone wanting to tailor the malware to their own tastes gets once they buy it from TOR’s .onion hidden service; according to Emsisoft’s Fabian Wosar (leading finder of this stuff), WinRAR is just the default format available to any buyer, but any kind of extracting file format can be used…can’t just firewall out WinRAR, and he further indicates disabling Java in browsers won’t work to stop infection; worse, it’s able to subvert Chrome and Linux native sandboxing while also able to make itself executable even w/o WINE; it appears to run encryption at low CPU usage to work around notice in Task Manager; it reaches out over port 85 (which again is just default) to make AES 128 encrypted connection to the main Ransom 32 server via TOR…but a firewall might miss blocking its outreach to TOR if it lets all TLS traffic out despite other settings; lastly, the malware can be delivered via emails, infected downloads, or otherwise, and at present it seems signature blocking is very tricky or sketchy.
All I could find on this in re protection is of course always back up everything; other than that, the only prevention seems to be having a behavior blocker as good as or better than Emisioft’s, and then having enough technical skill to know what’s trying to connect to the internet from the innocuous-looking file your A/V throws warnings about. In other words, those such as TWC admins, security researchers, and me are very likely to be able to keep a stealth infection from connecting to TOR, but many more people won’t…especially in Linux where UFW (uncomplicated firewall) is the most common blocker yet doesn’t just throw GUI alerts out of the box.
Hope this helps somehow, and look forward to TWC keeping us updated on progress towards stifling this threat on a macro scale. Cheers!