Cybercrime has piggybacked on the extremely successful SaaS model and several strains of Ransomware-as-a-Service (RaaS) like TOX, Fakben and Radamant have appeared in 2015.
So, how did the bad guys implement this technically?
Using this architecture they can encrypt client-side files without using much resources and stay under the radar to prevent detection. Ransom32 will target only specific file extensions and encrypt them using AES encryption but is using wildcards like .*sav* to maximize its "effectiveness". A large benefit for the malware author is that NW.js is a legitimate framework and application so it is no surprise that antivirus signature coverage still very bad at the time we write this. See Virustotal.
How Does This Ransomware-as-a Service Work?
Any newbie cybercriminal can easily go to a darkweb TOR site, register with a Bitcoin address, configure and download their very own customized version of the executable. The developers take a 25% cut of all ransom payments and then forward the rest to their criminal affiliate. You can run multiple campaigns with different Bitcoin addresses. The executable can be spread with the usual infection vectors like massive spray-and-pray phishing campaigns, targeted spear-phishing, malvertising with poisoned ads on websites compromised with Exploit Kits causing drive-by-downloads of the RaaS executable, manually hacking linux servers or brute forcing terminal servers.
What Is The Scary Part?
Larry Abrams at bleepingcomputer put it best: "No administrative rights necessary. Runs under the security context of the user. The ransomware itself isn't a big deal at all. It must be executed, just like any other executable because that is what it is, or installed via an exploit just like all other ransomware.
He summarized with this shorthand: "Uses AES encryption. Affiliate service. No way to decrypt for free at this time. Extracts to folder in %Temp% and %AppData%\Chrome Browser. Creates startup called ChromService. Uses TOR to communicate with C2."
What To Do About It
- It is still early days, at the moment there is no known way to decrypt the files for free, but if malware researchers reverse engineer the code and find a way to get your files back, we will update this post.
- Your best protection remains a solid and proven backup strategy, with regular off-site copies.
- For mitigation purposes, treat this like any other ransomware. Continue blocking executables from running from standard paths (%appdata%, %temp%, etc).
- Step your users through effective security awareness training which includes frequent simulated phishing attacks.
We want to thank our friends over at BleepingComputer, who brought this threat to our attention first. Also, for a more thorough and detailed explanation on how the Ransom32 utilizes NW.js and encrypts your data, please see this great Emsisoft article.
Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.
KnowBe4's integrated training and phishing platform allows you to send attachments with Word Docs with macros in them, so you can see which users open the attachments and then enable macros!
See it for yourself and get a live, one-on-one demo.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: