In a Emisoft blog, the Chief Technology Officer Fabian Wosar has explained the malware and its Tor-based admin web interface. Users who uses the service has to just log in with their Bitcoin wallet address and once they get successfully logged in, they have all control features in their hand such as they can read the messages that is displayed to the victims when they install malware and how much ransom they should ask from the victims for providing encryption keys. The cybercriminal can track the amount already paid and how many computer have been infected.
Once Ransom32 gets installed, it starts encrypting victim’s files by gaining 128-bit AES encryption keys from the TOR command and it also able to control server. This malware can easily encrypt all files stored in your systems such as documents files, PDF files, Word, excel, databases, e-mails, Photos, videos, audio files and many more. It creates new keys for each file by using counter block mode. After this, each key is encrypted with the use of public key from the command and control server and saves the file in encrypted form.
This Ransom32 also has another great feature “Proof of Life”. This feature gives a surety to victims that their files can be retrieved very easily. Wosar says “offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption”. He also mentioned that “During this process the malware will send the encrypted AES key from the chosen file to the (command and control) server and gets the decrypted per-file AES key back in return.”