Ransom32, a new Filecoder in sight


A new ransomware has been discovered recently and among its distinguishing characteristics it’s the fact that it pretends to be Google Chrome browser. ESET’s security solutions detect this threat as Win32/Filecoder.NFR and it was first analyzed by Emsisoft, which named it Ransom32.

It works in the form of  ‘Ransomware as a Service’ (RaaS) from a hidden server in the Tor network. There, cybercriminals can choose what malware will infect the victim, how many bitcoins it will ask for as a ransom and what threatening messages it will show in the screen. They can also see statistics on how many users were infected and how many of them actually paid.

Once Ransom32 installs itself on the system and is executed, it will unpack all of its malicious files in the temporary files folder to make sure it’s executed on every boot. The malicious file, chrome.exe, disguises itself as popular Chrome web browser. However, it is possible to see in its properties that it’s not digitally signed, and that the information regarding the version and name of the product has been erased.

Matías Porolli, malware analyst at ESET Latin America, explains how Ransom32 works: “Once the user executes the application, typical ransomware actions take place, such as encryption of files, contact with the sever and appearance of messages asking for a ransom.”

The extensions targeted for encryption are over a hundred, and among them are the most frequent ones used for text and images files like .TXT, .DOC, .JPG, .GIF, .AVI, .MOV y .MP4.

Another detail worth mentioning that differentiates Ransom32 from other similar threats is that it weighs around 45 MB, which is odd as ransomware is usually lighter. Nonetheless, this makes sense because it pretends to be a web browser.

“At this point it becomes evident that Ransom32 is very different to other ransomware, which rarely exceed 1 MB in size,”Emsisoft reports. “In fact, most ransomware authors use the small size of their malicious files as some kind of unique selling point when advertising their campaigns in underground hacker communities.”

As Ransom32 is a type of Filecoder, cybercriminals use different methods to get the malware onto victims’ system:

  • Malicious websites
  • Drive-by-download attacks
  • Malicious email attachments
  • Use of other trojan-downloaders or backdoors

Files are encrypted using AES with a 128 bit key, and a new key is generated for each file. The latter is encrypted using the RSA algorithm and a public key obtained from the C2 server during the first communication.

Further reading: Ransomware 101 – FAQ for computer users and smartphone owners

by Sabrina Pagnotta

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s