In case that term doesn’t ring a bell, here is a brief description.
Ransomware, is a scary word, it is a form of malware which infects computers, and locks it down, or at least access to most features. To unlock the computer, the user is forced to pay an amount of money to the attacker, aka a ransom. These ransomware as a service attacks, usually ask the owner of the infected computer, to transfer a sum of money, using the digitial currency, Bitcoin.
Some ransomware are so powerful in that they encrypt the hard drive, so it is impossible to decrypt the drive without the password. CryptoLocker, is an example of the most powerful ransomware to have been released.
Austria based security research firm and antivirus maker, Emsisoft, recently discovered a new one called Ransom32 which has been written in Javacript, and unlike most ransomware which are pretty small in size, this one is quite large at 22MB.
The file uses a generic name called “Client”, client.scr to be precise. When downloaded, it was found to be a self-extracting WinRAR archive with a few files which it extracts to the temporary files folder, and executes chrome.exe (as described below)
It is worth noting that WinRAR is NOT the attack vector, any archive extractor application can be used, according to Fabian Wosar, the security researcher at Emsisoft who discovered what Ransom32 does. The ransomware could use WinZip, or even the open source 7-zip software, it appears that the malware creator just chose WinRAR as a tool, the other files it contained could have been downloaded in the background secretly.
The list of files as seen in the image below, are all illegal, yet are disguised, to appear as legit ones.
The Chrome.exe is not actually the browser, there is no digital signature or version information which the real one would have, but the fake chrome.exe is the one which contains the malicious code. We have already reported on more than one occassion, that Google has warned many times, how attackers mimic its browser to trick the user into thinking the file is safe, when in relity they are downloading a malware.
Ransom32 does something similar, and the Chrome.exe is an NW.js app with the malicious code and framework, which it needs to run. The biggest threat here, is that since it is based on NW.js it could have been designed to be used on Windows, Mac OS X and Linux, but for now it only exits for Windows.
The files in the extracted folder: ffmpegsumo.dll, nw.pak, icudtl.dat and locales also contain the data/framework which the malware needs to run.
Rundll32 is actually an exe which is a renamed copy of the Tor client, while the exe file G contains the malware’s settings (used by the hacker), and S is an Optimum X Shortcut, which it uses to create and run Desktop and start menu shortcuts. It creates a ChromeService startupfolder which is executed at every boot.
msgbox.vbs is the script with the scary message which the ransomware displays on the infected PC, (check the first screenshot of this article). u.vbs has the script a small script which calculates the number of files and folders in a directory and is capable of deleting them.
Once the malware connects with the server using the Tor client, it begins displaying the ransome message, with the cyptographic encryption key. Then the encryption begins, for a list of the file formats which it targets, see the blog post at the Emsisoft blog. It uses AES 128 bit encryption.
Emsisoft Anti-Malware and Emsisoft Internet Security, have a built-in behavorial blocker, which monitors if a file behaves suspiciously, and if it finds any, it blocks the file, and notifies the user. Both security products are capable of detecting and removing Ransom32, before the ransomware affects the computer.
We advise readers to have their data backed up to an external drive, or also in a cloud storage to ensure they don’t lose any important content in case of such a dangerous malware attack. And never download files from websites you do not trust, or files with strange extensions.