Story image

Ransom32, the Next Step in Ransomware-as-a-Service, explained

02 Feb 16

The Ransomware-as-a-Service (RaaS) business model is still seeing growth. Ransom32 is one of the latest iterations of RaaS that cyber criminals have to offer – a version that could later be used on Mac and Linux OS.

As with other RaaS platforms, you sign up to create new samples from hidden servers in the TOR Network. Just input the bitcoin wallet address you want your “revenue” to be deposited in.

Once you input a deposit bitcoin address, you’ll be presented with a user-friendly portal with customisation options and analytics. The customisation allows you to fully lock the computer – which will make the lock screen pop up every few seconds and can’t be minimised. Interestingly, it even cautions you about this feature – as victims will find it difficult to check whether their files have been encrypted and will likely have to use another machine to pay the bitcoin ransom. The analytics show you how many people you are infecting and how many people are paying the ransom.

Once you click download, it will generate the malware with your customised settings and payment amount. The size of the file is 22MB, which is quite large for malware in general. This is because the main malware component inside the payload, “chrome.exe,” is a packaged NW.js application which contains the malware code. NW.js is a framework that lets you call Node.js modules directly from the DOM and enables a way of writing applications with multiple web technologies that work on ALL operating systems. While we did see strings in the code reference commands only used on Unix operating systems, current samples only work on Windows… for now. We suspect that Mac/Linux compatibility is in the works.

This is the infection lock screen that pops up once you are infected and files are encrypted. You are also blasted with music from the video game Metal Gear Solid – which is bizarre and very obnoxious. We see that they’ve made sure to use the free decrypt tactic that was first introduced in 2014 with CoinVault – we did confirm that this feature works.

As always, these come with detailed instructions on how to purchase bitcoins with USD and then send it over to the ransom wallet.

Webroot will catch this specific variant in real time before any encryption takes place. We’re always on the lookout for more variants, but just in case of new zero-day threats, the best protection is going to be a good backup solution. This can be either through the cloud or offline external storage. Webroot has backup features built into our products that allow you to have directories constantly synced to the cloud. If you were to get infected by a zero-day variant of encrypting ransomware, you can just restore your files because we save a snapshot history for each of your files, up to ten previous copies.

Article by Tyler Moffitt, a senior threat research analyst at Webroot. On a daily basis, he is immersed deep within the world of malware and antimalware – gathering malware samples from the wild, creating antimalware intelligence, writing blogs and testing in-house security solutions.

Want to learn more about the latest (and nastiest) malware? Register for The 2016 Malware Forecast on February 24th. In this upcoming webinar, Tyler will offer expert insights into the latest malware variants – and the threats of tomorrow. Register today.

Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
How blockchain will impact NZ’s economy
Distributed ledgers and blockchain are anticipated to provide a positive uplift to New Zealand’s economy.
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Review: Blue Mic’s Satellite headphones are good but...
Blue Mic’s newest wireless headphones deliver on sound, aesthetic, and comfort - but there is a more insidious issue at hand.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Forcepoint and Chillisoft - “a powerful combination”
Following Chillisoft’s portfolio expansion by signing on Forcepoint, the companies’ execs explain how this is a match made in cybersecurity heaven.
David Hickling in memoriam: “Celebrate the life and the music it made”
Dave was a well-respected presence in the IT channel and his recent death was felt by all the many people who knew him as a colleague and a friend.