According to BleepingComputer owner Lawrence Abrams, the malware is offered to cybercriminals as Ransomware as a Service (RaaS), for which the developers take a 25 percent cut of all ransom payments.
The ransomware is delivered as a 22 MB WinRAR self-extracting archive containing a packaged NW.js application.
So while Ransom32 currently appears to be Windows-only, Wosar noted, it could easily be packaged for Mac OS X and Linux as well.
In addition, because NW.js is a legitimate framework and application, it’s extremely difficult for anti-virus software to detect the malware — at this point, VirusTotal reports that only three of 54 leading anti-virus solutions detect Ransom32 as malicious.
Once the malware is executed on a system, it starts a bundled Tor client to connect to a command and control server, then begins encrypting and user’s files and displays a ransom note demanding payment via Bitcoin within six days, or all encrypted data will be destroyed.
“Whatever feature or capability makes a language or platform great for developers will also be leveraged by cyber criminals,” Tripwire director of IT and risk strategy Tim Erlin told eSecurity Planet by email. “The self-contained runtime environment and cross-platform nature of NW.js allows a developer to ship code that’s easy to get running on as many systems as possible, and that’s just the kind of feature a malware author needs.”
“As is the case with most malware, we tend to focus on the interesting technical discussion of the code itself, rather than the much more practical infection vectors,” Erlin added. “No one wants to read another article about phishing, yet it continues to be a primary method for malware to find its intended target.”