Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Ransom32 Ransomware and Restore Encrypted Files

The first ransomware written entirely in JavaScript has been created. It is called Ransom32 as seen in its ransom note. Ransom32 encrypts files with a strong military grade encryption. The ransom note states that you only have one week to pay the ransom, before destroying the decryption key.

NameRansom32
TypeRansomware
Short DescriptionThe ransomware encrypts files with a wide range of extensions and asks for money to decrypt them.
SymptomsFiles get locked and become unusable. A ransom message pops up.
Distribution MethodSpam Emails, Email Attachments, Suspicious Sites
Detection toolDownload Malware Removal Tool, to See If Your System Has Been Affected by Ransom32
User ExperienceJoin our forum to follow the discussion about Ransom32.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

SensorsTechForum-ransom32-ransomware-messageImage Source: Emsisoft

Ransom32 Ransomware – Distribution Techniques

The most widespread distribution technique is known to be through malicious email attachments and spam emails. You may receive an email with the malware file attached. If you open the attachment, the ransomware is released. Currently, the file is reported to be a 22 MB self-extracting WinRAR archive, which is quite large, compared to other types of ransomware.

Around the Web, social networks, and file sharing services, there may be similar attachments and files containing the Ransom32 ransomware, disguised as something else.

Ransom32 Ransomware – Technical Information

Ransom32 is classified as ransomware. And it is just that. But what distinguishes it from other types of ransomware is that it is entirely written in JavaScript. There has been ransomware very similar to this one, but only partially based on Java, such as Encryptor RaaS.

The ransomware uses NW.js, which is a platform that you can write apps on, which are compatible with Linux, Mac OS X, and Windows. Thus, specific scripts can be wrapped up in a Chromium package and be run automatically.

Ransom32 gets into your computer using an auto-extracting archive, and when executed will copy its files to a folder and then in the Google Chrome directory:

→%AppData%\Chrome Browser

The copied files are very similar to those of Google Chrome and ones used in the Chromium project. And that is the purpose of that similarity – trying to trick you that some Google Chrome browser is installed. Alas, those files contain malicious scripts. The files are the following:

  • chrome – contains a General Public License agreement.
  • chrome.exe – NW.js code package that contains the ransomware.
  • g – contains information of the ransomware’s settings.
  • rundll32.exe – contains the Tor client.
  • ffmpegsumo.dll, nw.pak, icudtl.dat, locales – data files required for NW.js to run properly.
  • s.exe – contains a program named Optimum X Shortcut, used to create a shortcut for the ransomware in the Startup folder, so it runs on every start of the OS.
  • msgbox.vbs – this file can be set to show a custom popup message with the ransom note.
  • u.vbs – script used for deleting all files and folders in a directory. Likely used to delete some of the ransomware files after file encryption.

Afterwards, it runs the Tor client inside rundll32.exe to make a connection to the Tor network and be untraceable. That way it gets a unique BitCoin address that is used in the ransom message, so you know where to send the ransom money. We do not advise you that, as there is absolutely no guarantee that you will get your files back that way or even if the cyber criminals will contact you back.

Then, the ransomware starts locking files. It uses a 128-bit AES key to encrypt them. A different key is used for each file, and the key itself is encrypted with the RSA algorithm. Both AES and RSA are strong, military-grade algorithms and nearly impossible to break.

Ransom32 is known to search for and encrypt files with these extensions:

→.jpg ,.jpeg ,.raw ,.tif ,.gif ,.png ,.bmp ,.3dm ,.max ,.accdb ,.db ,.dbf ,.mdb ,.pdb ,.sql ,.*sav* ,.*spv* ,.*grle* ,.*mlx* ,.*sv5* ,.*game* ,.*slot* ,.dwg ,.dxf ,.c ,.cpp ,.cs ,.h ,.php ,.asp ,.rb ,.java ,.jar ,.class ,.aaf ,.aep ,.aepx ,.plb ,.prel ,.prproj ,.aet ,.ppj ,.psd ,.indd ,.indl ,.indt ,.indb ,.inx ,.idml ,.pmd ,.xqx ,.xqx ,.ai ,.eps ,.ps ,.svg ,.swf ,.fla ,.as3 ,.as ,.txt ,.doc ,.dot ,.docx ,.docm ,.dotx ,.dotm ,.docb ,.rtf ,.wpd ,.wps ,.msg ,.pdf ,.xls ,.xlt ,.xlm ,.xlsx ,.xlsm ,.xltx ,.xltm ,.xlsb ,.xla ,.xlam ,.xll ,.xlw ,.ppt ,.pot ,.pps ,.pptx ,.pptm ,.potx ,.potm ,.ppam ,.ppsx ,.ppsm ,.sldx ,.sldm ,.wav ,.mp3 ,.aif ,.iff ,.m3u ,.m4u ,.mid ,.mpa ,.wma ,.ra ,.avi ,.mov ,.mp4 ,.3gp ,.mpeg ,.3g2 ,.asf ,.asx ,.flv ,.mpg ,.wmv ,.vob ,.m3u8 ,.csv ,.efx ,.sdf ,.vcf ,.xml ,.ses ,.dat

After the files are encrypted the ransom note pops up and the sum of $35 is demanded as a ransom. If you don’t pay after four days, the sum multiplies ten times, to $350 for the decryption key.

Restoring files

  • Backups

The easiest and most efficient way to restore your files from ransomware remains to be Backups. After removing the threat, you can use a backup, if you have any, to restore your data.

  • Shadow Volume Copies

Currently, there is no information if Shadow Volume Copies are erased from the Windows OS. So, after removal, you should check the 5th section of the instructions written down below for a few ways in which you can try to restore your files.

Ransom32 Ransomware – Removal Guide

If you have been infected by the Ransom32 ransomware, you should have at least a little experience in removing malware. This ransomware can irreparably lock your files, so it is highly recommended that you act swiftly and follow the instructions provided below:

1. Boot Your PC In Safe Mode to isolate and remove Ransom32
2. Remove Ransom32 with SpyHunter Anti-Malware Tool
3. Remove Ransom32 with STOPZilla AntiMalware
4. Back up your data to secure it against infections and file encryptions by Ransom32 in the future
NOTE! Substantial notification about the Ransom32 threat: Manual removal of Ransom32 requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.