While on the face of it, this is just another example of ransomware that encrypts files and seeks Bitcoin payments to decrypt them, it is more than that. The NW.js framework not only allows for cross-platform infections, but also means it is harder to detect. Ransom32 bears some resemblance to CryptoLocker and has been dubbed Ransomware-as-a-Service.
Ransom32 is being traded on the dark web, with the authors offering customized versions of the malware in return for a 25 percent cut of whatever money is generated. Security expert Fabian Wosar from Emsisoft blogged about the ransomware and points out that it is notable if only for the unusually large size (22MB) and complexity of the malicious files it downloads as part of the infection process.
As Wosar explains, the initial infection method is nothing out of the ordinary, involving little more than using spam emails to lure victims into installing the ransomware. Delivered as a compressed RAR file, Ransom32 self-extracts and uses WinRAR's scripting language to configure the malware to launch at system startup, establishing a connection to a 'command and control server' using the bundled Tor client. Files are encrypted and a ransom note is issued, warning that the cost of decrypting files will increase as time goes by.
In his explanation of Ransom32, Wosar says
Files are being encrypted using AES with a 128 bit key using CTR as a block mode. A new key is being generated for every file. The key is encrypted using the RSA algorithm and a public key that is being obtained from the C2 server during the first communication.
He advises that having a robust backup strategy in place is the best form of defense at the moment -- particularly as AV software manufacturers have been slow to push out definitions that detect Ransom32.
For now, only Windows versions of Ransom32 have been seen out in the wild, but the ease of repackaging for Linux and OS X means that these operating systems could well be targets in the near future.