Emsisoft's Fabian Wosar writes here that embedded in a self-extracting WinRAR archive is an NW.js-packaged application that does the heavy lifting for the ransomware.
Because NW.js is a legitimate framework, it's also hard to fit into signature-based malware detection (the company makes the usual observation that unlike everyone else, it can protect users against this attack).
While Wosar's only seen Ransom32 as a Windows attack vector, NW.js would theoretically let the nastyware get packaged up for Mac OS X and Linux systems.
In the copy Emsisoft analysed, once Ransom32 was installed and launched, it connected to a command-and-control server on Tor, negotiated the Bitcoin address victims are supposed to pay to recover their files, and displayed its ransom note:
Ransom32's you-are-pwned warning, captured by Emsisoft
The encryption it uses is AES with a 128-bit key. ®
- Black Hat
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Identity Theft
- Palo Alto Networks