A new ransomware has been discovered recently and among its distinguishing characteristics is the fact that it pretends to be Google's Chrome browser. ESET's security solutions detect this threat as Win32/Filecoder.NFR and it was first analyzed by Emsisoft, which named it Ransom32.
It works in the form of 'Ransomware as a Service' (RaaS) from a hidden server in the Tor network. There, cybercriminals can choose what malware will infect the victim, how many bitcoins it will ask for as a ransom and what threatening messages it will show in the screen. They can also see statistics on how many users were infected and how many of them actually paid.
Once Ransom32 installs itself on the system and is executed, it will unpack all of its malicious files in the temporary files folder and make sure it's executed on every boot. The malicious file, chrome.exe, disguises itself as the popular Chrome web browser. However, it is possible to see in its properties that it's not digitally signed, and that the information regarding the version and name of the product has been erased.
Matías Porolli, malware analyst at ESET Latin America, explains how Ransom32 works: “Once the user executes the application, typical ransomware actions take place, such as encryption of files, contact with the server, and appearance of messages demanding a ransom."
The extensions targeted for encryption are over a hundred, and among them are the most frequent ones used for text and images files like .TXT, .DOC, .JPG, .GIF, .AVI, .MOV, and .MP4.
Another detail worth mentioning that differentiates Ransom32 from other similar threats is that its size is around 45 MB, which is odd as ransomware is usually smaller. Nonetheless, this makes sense because it pretends to be a web browser.
"At this point it becomes evident that Ransom32 is very different from other ransomware, which rarely exceed 1 MB in size,"Emsisoft reports. "In fact, most ransomware authors use the small size of their malicious files as some kind of unique selling point when advertising their campaigns in underground hacker communities."
As Ransom32 is a type of Filecoder, cybercriminals use different methods to get the malware onto victims’ systems:
- Malicious websites
- Drive-by-download attacks
- Malicious email attachments
- Use of other trojan-downloaders or backdoors
Files are encrypted using AES with a 128 bit key, and a new key is generated for each file. The latter is encrypted using the RSA algorithm and a public key obtained from the C2 server during the first communication.
Further reading: Ransomware 101 - FAQ for computer users and smartphone owners