Ransom32 – A New Ransomware Discovered By Researcher

ransom32 interface

Security Researcher Emisoft company, which is an Anti-virus company has found a new kind of ransomware – Ransom32. When it infect victims computer then it encrypts the file and demand for ransom in order to provide file access to victims again. The Ransom32 malicious is different from CryptoWall and other earlier ransomware. The difference is that it is coded using JavaScript and it is offered to be like a cybercriminals as paid service.

In a Emisoft blog, the Chief Technology Officer Fabian Wosar has explained the malware and its Tor-based admin web interface. Users who uses the service has to just log in with their Bitcoin wallet address and once they get successfully logged in, they have all control features in their hand such as they can read the messages that is displayed to the victims when they install malware and how much ransom they should ask from the victims for providing encryption keys. The cybercriminal can track the amount already paid and how many computer have been infected.

The malware is based on NW.js – a framework that works on Node.js and allows the developer to give Windows application command in JavaScript. This malware comes as “chrome.exe” with Tor client renamed as “rundll32.exe” along with a package of some Visual Basic scripts that is designed to display messages in a form of pop-up and perform some file exploitation. The malware also comes with Optimum X shortcut tool – a program that is designed to make and modify the Start menu stuffs and desktop shortcuts. The malware files come in over 22MB which is much more than all the previous ransomware packages.

Once Ransom32 gets installed, it starts encrypting victim’s files by gaining 128-bit AES encryption keys from the TOR command and it also able to control server. This malware can easily encrypt all files stored in your systems such as documents files, PDF files, Word, excel, databases, e-mails, Photos, videos, audio files and many more. It creates new keys for each file by using counter block mode. After this, each key is encrypted with the use of public key from the command and control server and saves the file in encrypted form.

This Ransom32 also has another great feature “Proof of Life”. This feature gives a surety to victims that their files can be retrieved very easily. Wosar says “offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption”. He also mentioned that “During this process the malware will send the encrypted AES key from the chosen file to the (command and control) server and gets the decrypted per-file AES key back in return.”


Though Ranson32 is Windows Based malware and since it uses JavaScript Node.js, it means that it can also be applied to another operating system by doing some minor changes. And in coming time “ransom as a service” is surely going to come in future. So, be careful and protect your PC (Also Read – How Ransomware Spreads and Works – Complete Solution to Avoid It )as much as possible while you download anything form internet.