Ransom32, the Next Step in Ransomware-as-a-Service, explained
The Ransomware-as-a-Service (RaaS) business model is still seeing growth. Ransom32 is one of the latest iterations of RaaS that cyber criminals have to offer – a version that could later be used on Mac and Linux OS.
As with other RaaS platforms, you sign up to create new samples from hidden servers in the TOR Network. Just input the bitcoin wallet address you want your “revenue” to be deposited in.
Once you input a deposit bitcoin address, you’ll be presented with a user-friendly portal with customisation options and analytics. The customisation allows you to fully lock the computer – which will make the lock screen pop up every few seconds and can’t be minimised. Interestingly, it even cautions you about this feature – as victims will find it difficult to check whether their files have been encrypted and will likely have to use another machine to pay the bitcoin ransom. The analytics show you how many people you are infecting and how many people are paying the ransom.
Once you click download, it will generate the malware with your customised settings and payment amount. The size of the file is 22MB, which is quite large for malware in general. This is because the main malware component inside the payload, “chrome.exe,” is a packaged NW.js application which contains the malware code. NW.js is a framework that lets you call Node.js modules directly from the DOM and enables a way of writing applications with multiple web technologies that work on ALL operating systems. While we did see strings in the code reference commands only used on Unix operating systems, current samples only work on Windows… for now. We suspect that Mac/Linux compatibility is in the works.
This is the infection lock screen that pops up once you are infected and files are encrypted. You are also blasted with music from the video game Metal Gear Solid – which is bizarre and very obnoxious. We see that they’ve made sure to use the free decrypt tactic that was first introduced in 2014 with CoinVault – we did confirm that this feature works.
As always, these come with detailed instructions on how to purchase bitcoins with USD and then send it over to the ransom wallet.
Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more variants, but just in case of new zero-day threats, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Webroot has backup features built into our products that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files because we save a snapshot history for each of your files, up to ten previous copies.
Article by Tyler Moffitt, a senior threat research analyst at Webroot. On a daily basis, he is immersed deep within the world of malware and antimalware – gathering malware samples from the wild, creating antimalware intelligence, writing blogs and testing in-house security solutions.
Want to learn more about the latest (and nastiest) malware? Register for The 2016 Malware Forecast on February 24th. In this upcoming webinar, Tyler will offer expert insights into the latest malware variants – and the threats of tomorrow. Register today.