Ransom32 Ransomware

Ransom32 Ransomware Description

Type: Trojan

PC security analysts have received reports of a Ransom32 Ransomware infections in the wild, a ransomware infection notable because it can be one of the first, if not the introductory ransomware threat in the wild that uses JavaScript. This means that the Ransom32 Ransomware can affect multiple operating systems, rather than being restricted to the Windows operating system. PC security researchers received news of this when they spotted the Ransom32 Ransomware being sold on underground forums as a service provided by the creators of this threats. One of the reasons why the Ransom32 Ransomware wasn't spotted earlier is that the Ransom32 Ransomware carried out its initial threat campaign during the December holidays, which meant that the Ransom32 Ransomware stayed under the radar since not as many people were using their computers as during the school year.

The Ransom32 Ransomware may Affect Several Operating Systems?

Although the Ransom32 Ransomware infections spotted in the wild have targeted computers using the Windows operating system, the fact that the Ransom32 Ransomware uses the NW.js framework to carry out its attack means that the Ransom32 Ransomware is capable of affecting Linux and Mac OS X as well. The Ransom32 Ransomware could be easily adapted to target these operating systems. Currently, the Ransom32 Ransomware has only been observed packaged in EXE files, designed as Windows executable files. However, this may change soon since it would not be difficult to adapt the Ransom32 Ransomware threat to attack a wider range of computers.

JavaScript has limits as to what it can accomplish in a Web browser. However, the use of NW.js by the Ransom32 Ransomware allows it to have much more interaction with the operating system, giving it a reach that rival threats created using Delphi, C++, or other more standard programming languages, do not possess. The Ransom32 Ransomware is being provided as a service. Ransomware as a service, or RaaS, is not uncommon. Currently, there are various examples, such as Tox or FAKBEN, which get a cut of the profits ranging from ten to thirty percent. The Ransom32 Ransomware requires 25 percent of the profits from its customized versions. The Ransom32 Ransomware currently encrypts files in a way that they are not decryptable without the encryption key.

How Third Parties mays Profit from Using the Ransom32 Ransomware

Like other ransomware infections, the Ransom32 Ransomware encrypts the victim's files, demanding the payment of a ransom in exchange for the encryption key. The Ransom32 Ransomware uses anonymous methods for payment. The Ransom32 Ransomware uses a server on the Tor network that requires Bitcoin for ransom payments. The Ransom32 Ransomware is distributed using corrupted email attachments, commonly distributed using spam email.

The Ransom32 Ransomware administration panel and Command and Control server are both quite sophisticated. The people administrating the Ransom32 Ransomware infections can get detailed information about the computers that were infected, as well as keep track of payments from victims. It is also possible for people paying for the Ransom32 Ransomware RaaS to configure custom error messages and ransom messages, as well as customizing the amount of the ransom and other information.

The Unique Characteristics of the Ransom32 Ransomware

The Ransom32 Ransomware has various unique characteristics that have caught the attention of PC security researchers. Apart from the fact that the Ransom32 Ransomware uses NW.js, its file size is surprisingly large. Most ransomware files are about 1 MB or less in size. In fact, the small size is part of the selling point of these attacks, since it's easier to deliver and install a smaller file. The Ransom32 Ransomware uses a file that is 32 MB in size. However, the larger size does not, in any way, reflect on the sophistication of this threat. The Ransom32 Ransomware operates like the infamous CryptoLocker, and in some respects is its natural successor.

Technical Information

File System Details

Ransom32 Ransomware creates the following file(s):
# File Name Detection Count
1 %Temp%\nw3932_17475 N/A
2 %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ChromeService.lnk N/A
3 %AppData%\Chrome Browser\.chrome\ N/A
4 %AppData%\Chrome Browser\.chrome\cached-certs N/A
5 %AppData%\Chrome Browser\.chrome\cached-microdesc-consensus N/A
6 %AppData%\Chrome Browser\.chrome\cached-microdescs N/A
7 %AppData%\Chrome Browser\.chrome\cached-microdescs.new N/A
8 %AppData%\Chrome Browser\.chrome\lock N/A
9 %AppData%\Chrome Browser\.chrome\state N/A
10 %AppData%\Chrome Browser\chrome N/A
11 %AppData%\Chrome Browser\chrome.exe N/A
12 %AppData%\Chrome Browser\ffmpegsumo.dll N/A
13 %AppData%\Chrome Browser\g N/A
14 %AppData%\Chrome Browser\icudtl.dat N/A
15 %AppData%\Chrome Browser\locales\ N/A
16 %AppData%\Chrome Browser\msgbox.vbs N/A
17 %AppData%\Chrome Browser\n.l N/A
18 %AppData%\Chrome Browser\n.q N/A
19 %AppData%\Chrome Browser\nw.pak N/A
20 %AppData%\Chrome Browser\rundll32.exe N/A
21 %AppData%\Chrome Browser\s.exe N/A
22 %AppData%\Chrome Browser\u.vbs N/A

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.