Story image

Ransom32, the Next Step in Ransomware-as-a-Service, explained

02 Feb 2016

The Ransomware-as-a-Service (RaaS) business model is still seeing growth. Ransom32 is one of the latest iterations of RaaS that cyber criminals have to offer – a version that could later be used on Mac and Linux OS.

As with other RaaS platforms, you sign up to create new samples from hidden servers in the TOR Network. Just input the bitcoin wallet address you want your “revenue” to be deposited in.

Once you input a deposit bitcoin address, you’ll be presented with a user-friendly portal with customisation options and analytics. The customisation allows you to fully lock the computer – which will make the lock screen pop up every few seconds and can’t be minimised. Interestingly, it even cautions you about this feature – as victims will find it difficult to check whether their files have been encrypted and will likely have to use another machine to pay the bitcoin ransom. The analytics show you how many people you are infecting and how many people are paying the ransom.

Once you click download, it will generate the malware with your customised settings and payment amount. The size of the file is 22MB, which is quite large for malware in general. This is because the main malware component inside the payload, “chrome.exe,” is a packaged NW.js application which contains the malware code. NW.js is a framework that lets you call Node.js modules directly from the DOM and enables a way of writing applications with multiple web technologies that work on ALL operating systems. While we did see strings in the code reference commands only used on Unix operating systems, current samples only work on Windows… for now. We suspect that Mac/Linux compatibility is in the works.

This is the infection lock screen that pops up once you are infected and files are encrypted. You are also blasted with music from the video game Metal Gear Solid – which is bizarre and very obnoxious. We see that they’ve made sure to use the free decrypt tactic that was first introduced in 2014 with CoinVault – we did confirm that this feature works.

As always, these come with detailed instructions on how to purchase bitcoins with USD and then send it over to the ransom wallet.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more variants, but just in case of new zero-day threats, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Webroot has backup features built into our products that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files because we save a snapshot history for each of your files, up to ten previous copies.

Article by Tyler Moffitt, a senior threat research analyst at Webroot. On a daily basis, he is immersed deep within the world of malware and antimalware – gathering malware samples from the wild, creating antimalware intelligence, writing blogs and testing in-house security solutions.

Want to learn more about the latest (and nastiest) malware? Register for The 2016 Malware Forecast on February 24th. In this upcoming webinar, Tyler will offer expert insights into the latest malware variants – and the threats of tomorrow. Register today.

Microsoft appoints new commercial and partner business director
Bowden already has almost a decade of Microsoft relationship management experience under her belt, having joined the business in 2010.
Zoom’s new Rooms and Meetings features
Zoom has released information about the upcoming releases for its Rooms and Meeting offerings for 2019.
Aussie company set to democratise direct-to-orbit IoT access
Adelaide-based Myriota has released a developer toolkit that has been trialled and tested by a smart waste management platform.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.