Tuesday, 5 January 2016
In a blog post, Emisoft Chief Technology Officer Fabian Wosar described the malware and its Tor-based administrative Web interface. Users of the service log in with their Bitcoin wallet addresses; once they're connected, they can configure features of the malware "client" for the service such as the messages displayed to victims during the malware installation and how much to demand in ransom for encryption keys. They can also track the payments already made and how many systems have become infected.
The malware is also packaged with a renamed version of the Optimum X Shortcut utility—software used to create and change Start menu items and desktop shortcuts. The entire payload is over 22 megabytes, which is huge in comparison to other crypto-ransomware packages.
Once installed, Ransom32 retrieves a 128-bit AES encryption key from the Tor command and control server and starts encrypting a wide range of user files: Office documents, other text document formats, PDFs, images, databases, e-mail message archives, videos and music, etc. It uses counter (CTR) block mode to generate a new key for each file. Each key is then encrypted using a public key from the command and control server and stored as part of the encrypted file.
Another novel feature of Ransom32 is a sort of "proof of life" capability that demonstrates to victims that their files can be retrieved. The malware "offers to decrypt a single file to demonstrate that the malware author has the capability to reverse the decryption," Wosar noted. "During this process the malware will send the encrypted AES key from the chosen file to the (command and control) server and gets the decrypted per-file AES key back in return."