Ransomware, as known by a lot of people, are nasty pieces of software that encrypt files on a Windows system, and then threaten users that their data will be lost forever, unless they pay up, usually in Bitcoins. Many have surfaced in the past year, like a program that scrambles your computer"s file names, and another that even offers a "referral program," turning victims into perpetrators. And more recently, such programs have evolved, now targeting a wider range of computers.
Enter Ransom32, one of the newest ransomware for the New Year. The program is written in Javascript, running on the NW.js platform, and can infect systems running on the Windows platform. It can also have the capability of targeting Mac OS X or Linux computers, if repackaged with platform-specific runtimes. It is also dubbed as a "ransomware-as-a-service," a play from SaaS or "Software as a Service."
Initially analyzed by security expert Fabian Wosar from Emsisoft, Ransom32 functions quite differently compared to the usual ransomware programs. This program can actually be utilized by anyone who knows how to access hidden servers in the Tor network, and a simple Bitcoin address can be used to be able to sign up and make their own version of the ransom program.
Operators of the program are given a control center where they can see statistics, like how many people have paid up, and how much money has been sent so far. They can also configure their own variant of the program, setting the ransom amount they want, set custom messages and set how they want their victims" computer to operate once the software has been launched.
The program will then be distributed via the usual method: spam emails. Packaged as a RAR file, the archive will extract all by itself, utilizing WinRAR"s scripting language in order to make the malicious program always launch at startup, and execute the files inside it, successfully locking up a victim"s computer using a 128-bit AES encryption.
It will encrypt data on a computer with file extensions such as .jpeg, .mp3, .mov, .mp4, .docx, .csv, .xlsx, .xml, .dat, and .pptx, among many others.
Aside from the usual threatening message displayed on a victim"s computer, the program also has the ability to raise the cost of the payment needed in order to unlock a user"s files.
As of the moment, only Windows variants of the ransomware have been seen in the wild, but with the software running on a NW.js framework, it can also run on the two other operating systems.
As per usual, it helps if a user has a backup of his/her computer files, as using programs to remove this software after it has encrypted the files can result in their permanent damage. It is also very advisable to keep antivirus software up-to-date. And most of all, be wary in opening email attachments that look too suspicious.
Source and Images via Emsisoft