Ransom32 is delivered on the victims’ computer in the form of a self-extracting WinRAR archive. It uses the built-in scripting language to unpack its contents and among the files it unpacks is one called chrome.exe.
This executable is a packed NW.js application.
According to Emsisoft’s Fabian Wosar, the campaign delivering the sample they analyzed takes the form of bogus emails. They trick victims into downloading a file that will ultimately download Ransom32 to the computer.
The ransomware encrypts a bevy of file types, and it’s encryption scheme has yet to be broken.
But the most interesting thing about it is that it’s offered to wannabe criminals as a service.
The researchers have tracked down the Dark Web portal that criminals are directed to use, and through it they can both shape the ransomware to their needs and wants, and see the statistics (how many systems have been infected, how many users have paid the ransom, etc.):
As mentioned before, protecting yourself against this threat is difficult: NW.js is a legitimate framework, so blocking apps developed through it cannot be the right approach for security solutions.
This is partly why most of them still struggle to detect Ransom32.