Threat Database Ransomware Ransom32 Ransomware

Ransom32 Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 14,025
Threat Level: 80 % (High)
Infected Computers: 142
First Seen: January 5, 2016
Last Seen: December 13, 2022
OS(es) Affected: Windows

PC security analysts have received reports of a Ransom32 Ransomware infections in the wild, a ransomware infection notable because it can be one of the first, if not the introductory ransomware threat in the wild that uses JavaScript. This means that the Ransom32 Ransomware can affect multiple operating systems, rather than being restricted to the Windows operating system. PC security researchers received news of this when they spotted the Ransom32 Ransomware being sold on underground forums as a service provided by the creators of this threats. One of the reasons why the Ransom32 Ransomware wasn't spotted earlier is that the Ransom32 Ransomware carried out its initial threat campaign during the December holidays, which meant that the Ransom32 Ransomware stayed under the radar since not as many people were using their computers as during the school year.

The Ransom32 Ransomware may Affect Several Operating Systems?

Although the Ransom32 Ransomware infections spotted in the wild have targeted computers using the Windows operating system, the fact that the Ransom32 Ransomware uses the NW.js framework to carry out its attack means that the Ransom32 Ransomware is capable of affecting Linux and Mac OS X as well. The Ransom32 Ransomware could be easily adapted to target these operating systems. Currently, the Ransom32 Ransomware has only been observed packaged in EXE files, designed as Windows executable files. However, this may change soon since it would not be difficult to adapt the Ransom32 Ransomware threat to attack a wider range of computers.

JavaScript has limits as to what it can accomplish in a Web browser. However, the use of NW.js by the Ransom32 Ransomware allows it to have much more interaction with the operating system, giving it a reach that rival threats created using Delphi, C++, or other more standard programming languages, do not possess. The Ransom32 Ransomware is being provided as a service. Ransomware as a service, or RaaS, is not uncommon. Currently, there are various examples, such as Tox or FAKBEN, which get a cut of the profits ranging from ten to thirty percent. The Ransom32 Ransomware requires 25 percent of the profits from its customized versions. The Ransom32 Ransomware currently encrypts files in a way that they are not decryptable without the encryption key.

How Third Parties mays Profit from Using the Ransom32 Ransomware

Like other ransomware infections, the Ransom32 Ransomware encrypts the victim's files, demanding the payment of a ransom in exchange for the encryption key. The Ransom32 Ransomware uses anonymous methods for payment. The Ransom32 Ransomware uses a server on the Tor network that requires Bitcoin for ransom payments. The Ransom32 Ransomware is distributed using corrupted email attachments, commonly distributed using spam email.

The Ransom32 Ransomware administration panel and Command and Control server are both quite sophisticated. The people administrating the Ransom32 Ransomware infections can get detailed information about the computers that were infected, as well as keep track of payments from victims. It is also possible for people paying for the Ransom32 Ransomware RaaS to configure custom error messages and ransom messages, as well as customizing the amount of the ransom and other information.

The Unique Characteristics of the Ransom32 Ransomware

The Ransom32 Ransomware has various unique characteristics that have caught the attention of PC security researchers. Apart from the fact that the Ransom32 Ransomware uses NW.js, its file size is surprisingly large. Most ransomware files are about 1 MB or less in size. In fact, the small size is part of the selling point of these attacks, since it's easier to deliver and install a smaller file. The Ransom32 Ransomware uses a file that is 32 MB in size. However, the larger size does not, in any way, reflect on the sophistication of this threat. The Ransom32 Ransomware operates like the infamous CryptoLocker, and in some respects is its natural successor.

File System Details

Ransom32 Ransomware may create the following file(s):
# File Name Detections
1. %Temp%\nw3932_17475
2. %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\ChromeService.lnk
3. %AppData%\Chrome Browser\.chrome\
4. %AppData%\Chrome Browser\.chrome\cached-certs
5. %AppData%\Chrome Browser\.chrome\cached-microdesc-consensus
6. %AppData%\Chrome Browser\.chrome\cached-microdescs
7. %AppData%\Chrome Browser\.chrome\
8. %AppData%\Chrome Browser\.chrome\lock
9. %AppData%\Chrome Browser\.chrome\state
10. %AppData%\Chrome Browser\chrome
11. %AppData%\Chrome Browser\chrome.exe
12. %AppData%\Chrome Browser\ffmpegsumo.dll
13. %AppData%\Chrome Browser\g
14. %AppData%\Chrome Browser\icudtl.dat
15. %AppData%\Chrome Browser\locales\
16. %AppData%\Chrome Browser\msgbox.vbs
17. %AppData%\Chrome Browser\n.l
18. %AppData%\Chrome Browser\n.q
19. %AppData%\Chrome Browser\nw.pak
20. %AppData%\Chrome Browser\rundll32.exe
21. %AppData%\Chrome Browser\s.exe
22. %AppData%\Chrome Browser\u.vbs


Most Viewed