|Short Description||The ransomware encrypts files with a wide range of extensions and asks for money to decrypt them.|
|Symptoms||Files get locked and become unusable. A ransom message pops up.|
|Distribution Method||Spam Emails, Email Attachments, Suspicious Sites|
|Detection tool||Download Malware Removal Tool, to See If Your System Has Been Affected by Ransom32|
|User Experience||Join our forum to follow the discussion about Ransom32.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Image Source: Emsisoft
Ransom32 Ransomware – Distribution Techniques
The most widespread distribution technique is known to be through malicious email attachments and spam emails. You may receive an email with the malware file attached. If you open the attachment, the ransomware is released. Currently, the file is reported to be a 22 MB self-extracting WinRAR archive, which is quite large, compared to other types of ransomware.
Around the Web, social networks, and file sharing services, there may be similar attachments and files containing the Ransom32 ransomware, disguised as something else.
Ransom32 Ransomware – Technical Information
The ransomware uses NW.js, which is a platform that you can write apps on, which are compatible with Linux, Mac OS X, and Windows. Thus, specific scripts can be wrapped up in a Chromium package and be run automatically.
Ransom32 gets into your computer using an auto-extracting archive, and when executed will copy its files to a folder and then in the Google Chrome directory:
The copied files are very similar to those of Google Chrome and ones used in the Chromium project. And that is the purpose of that similarity – trying to trick you that some Google Chrome browser is installed. Alas, those files contain malicious scripts. The files are the following:
- chrome – contains a General Public License agreement.
- chrome.exe – NW.js code package that contains the ransomware.
- g – contains information of the ransomware’s settings.
- rundll32.exe – contains the Tor client.
- ffmpegsumo.dll, nw.pak, icudtl.dat, locales – data files required for NW.js to run properly.
- s.exe – contains a program named Optimum X Shortcut, used to create a shortcut for the ransomware in the Startup folder, so it runs on every start of the OS.
- msgbox.vbs – this file can be set to show a custom popup message with the ransom note.
- u.vbs – script used for deleting all files and folders in a directory. Likely used to delete some of the ransomware files after file encryption.
Afterwards, it runs the Tor client inside rundll32.exe to make a connection to the Tor network and be untraceable. That way it gets a unique BitCoin address that is used in the ransom message, so you know where to send the ransom money. We do not advise you that, as there is absolutely no guarantee that you will get your files back that way or even if the cyber criminals will contact you back.
Then, the ransomware starts locking files. It uses a 128-bit AES key to encrypt them. A different key is used for each file, and the key itself is encrypted with the RSA algorithm. Both AES and RSA are strong, military-grade algorithms and nearly impossible to break.
Ransom32 is known to search for and encrypt files with these extensions:
→.jpg ,.jpeg ,.raw ,.tif ,.gif ,.png ,.bmp ,.3dm ,.max ,.accdb ,.db ,.dbf ,.mdb ,.pdb ,.sql ,.*sav* ,.*spv* ,.*grle* ,.*mlx* ,.*sv5* ,.*game* ,.*slot* ,.dwg ,.dxf ,.c ,.cpp ,.cs ,.h ,.php ,.asp ,.rb ,.java ,.jar ,.class ,.aaf ,.aep ,.aepx ,.plb ,.prel ,.prproj ,.aet ,.ppj ,.psd ,.indd ,.indl ,.indt ,.indb ,.inx ,.idml ,.pmd ,.xqx ,.xqx ,.ai ,.eps ,.ps ,.svg ,.swf ,.fla ,.as3 ,.as ,.txt ,.doc ,.dot ,.docx ,.docm ,.dotx ,.dotm ,.docb ,.rtf ,.wpd ,.wps ,.msg ,.pdf ,.xls ,.xlt ,.xlm ,.xlsx ,.xlsm ,.xltx ,.xltm ,.xlsb ,.xla ,.xlam ,.xll ,.xlw ,.ppt ,.pot ,.pps ,.pptx ,.pptm ,.potx ,.potm ,.ppam ,.ppsx ,.ppsm ,.sldx ,.sldm ,.wav ,.mp3 ,.aif ,.iff ,.m3u ,.m4u ,.mid ,.mpa ,.wma ,.ra ,.avi ,.mov ,.mp4 ,.3gp ,.mpeg ,.3g2 ,.asf ,.asx ,.flv ,.mpg ,.wmv ,.vob ,.m3u8 ,.csv ,.efx ,.sdf ,.vcf ,.xml ,.ses ,.dat
After the files are encrypted the ransom note pops up and the sum of $35 is demanded as a ransom. If you don’t pay after four days, the sum multiplies ten times, to $350 for the decryption key.
The easiest and most efficient way to restore your files from ransomware remains to be Backups. After removing the threat, you can use a backup, if you have any, to restore your data.
- Shadow Volume Copies
Currently, there is no information if Shadow Volume Copies are erased from the Windows OS. So, after removal, you should check the 5th section of the instructions written down below for a few ways in which you can try to restore your files.
Ransom32 Ransomware – Removal Guide
If you have been infected by the Ransom32 ransomware, you should have at least a little experience in removing malware. This ransomware can irreparably lock your files, so it is highly recommended that you act swiftly and follow the instructions provided below: