The Ransom32’s Origin
If you keep an eye on ransomware threats or the RaaS (ransomware as a service) market, you most likely have already heard about Ransom32, the first JavaScript ransomware. Emisoft provides a good description of the first version of it here and Malwarebytes gives some implementation details of the malicious package here. At first glance this particular threat doesn’t look scary at all. You have to find a way to deliver a malware file larger than 22 MB malware, whereas most ransomware variants rarely exceed 1 MB in size.
I needed a piece of malware to analyze for a malware analysis class I started recently, I decided to use Ransom32. After some time spent to locate the .onion site in the Tor network, and to register a Bitcoin wallet, I finally got to the client download section. At this point, I noticed that the client menu had new options:
- Bundle Tor client – The author offers to include the tor client in the package, which looks less suspicious for AV. This increases package size by 1.3 MB. The first version had a built-in Tor client by default.
- Bundle pluggable transport – This spoofs the connection so it seems to be connecting to a public Clearnet. The option increases the client size by 1.2 MB.
- Relay server – This offers a package that will have server and client side, which makes it a lot easier to deliver and monetize. The client has the smallest size of all options. The victim will download ransomware from the server that you need to set up. The downside is obvious: you have to set up a server somewhere else with a 24/7 runtime.
What’s Inside
I have two versions of the client. The first one has “Bundle pluggable transport” enabled. The second one is a default version. The difference in package size is significant. The very first client was about 22 MB. The current are 1.06 MB and 3.31 MB. This indicates that the ransomware author listens to his customers. Decreasing the size and redesigning the package makes it a lot easier to use for malicious purposes.
The main part of the unpacked content consists of the following files:
The client with the enabled “Bundle pluggable transport” feature has two extra DLLs, that are responsible for its functionality.
This feature is an implementation of meek, which is an obfuscation layer for Tor designed to evade Internet censorship. Traffic is relayed through a third-party server that is hard to block, a CDN for example. It uses a trick called domain fronting to communicate with a Tor relay while appearing to talk to another domain.
The rest of the files within the archive have the following purposes:
- dotNetFx40_Full_setup.exe – The Microsoft .NET Framework 4 web installer package downloads and installs the .NET Framework components required to run on the target machine architecture and OS. So apparently this ransomware requires .NET framework 4 for normal functionality. This also means that without an Internet connection, encryption could not be performed. However, it’s not a legit version of the framework, but a repacked one. It modifies regular functions and supports ransomware operations. The original name: Boxstub.exe[SHA1:06BECADB92A5FCCA2529C0B93687C2A0C6D0D610]. It has been seen in different malware packages .
- StartMenu.dll – contains data that are required by the NW.js framework to function properly.
- Tozpac.exe – is a packaged NW.js application and contains the actual malware code, as well as the framework required to run the malware. It implements the entire process of encrypting files, as well as handles all of the network negotiations.
- Tozpac.exe.config – contains the malware’s configuration information.
Encryption Process
Before encrypting your data, Ransom32 will first launch dotNetFx40_Full_setup.exe. Afterward, it triggers Tozpac.exe, which will encrypt them using AES encryption. One thing that I noticed is Tozpac.exe imports mscoree.dll to do the encryption. And this means that most of the functionality that was built-in before, is now imported using Windows DLLs:For example, to initiate Remote Procedure Call it’s using rpcrt4.dll. For encryption, it’s using crypt32.dll.
Using some dynamic analysis tricks we were able to find the attack extensions:
aaf, .accdb, .aep, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bbrksave, .bejeweled2deluxesavedgame, .blasterball3savedgame, .bmp, .c, .chesstitanssave-ms, .chuzzledeluxesavedgame, .civ4savedgame, .civ4worldbuildersave, .class, .comfycakessave-ms, .cpp, .cs, .csv, .dat, .db, .dbf, .ddpokersave, .dinerdashsavedgame, .dna.xml,.doc, .docm, .docx, .dot, .dotm, .dotx, .dplsave, .dsasave, .dsqsave, .dssave, .dwg, .dxf, .efx, .egwarsave, .emlx, .eps, .fatesavedgame, .fla, .flv, .freecellsave-ms, .game, .games, . gif, .h, .heartssave-ms, .iff, .indd, .inx, .jar, .java, .jpeg, .jpg, .lssave, .m3u, .m3u8, .m4u, .mahjongtitanssave-ms,.max, .mdb, .mid, .minesweepersave-ms, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .3dm, .3g2, .3gp, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .pspautosave, .purblepairssave-ms, .purbleshopsave-ms, .ra, .raw, .rb, .rtf, .sacred2save, .sav, .savage, .save, .savedgame, .savedsearch, .saver, .savgao, .savings, .sdf, .ses, .sgsav, .solitairesave-ms, .spidersolitairesave-ms, .spv, .sql, .sv5, .svg, .swf, .thewitchersave, .tif, .txt, .vcf, .vob, .wagame, .wav, .wma, .wmv, .wpd, .wps, .wsave, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml |
Once it has finished encrypting your data, it will display the Ransom32 ransom lock screen/ransom note as shown below.
Obfuscation via Node.js
It has been two months since I first saw Ransom32. At that time, it looked like the malware author cared mostly about the ability to imitate legitimate applications for the purpose of avoiding detection. However, as we can see, even the RaaS market is competitive. And as such, it seems to have forced the Ransom32 author to redesign his product. Before, there were a number of various elements, including legitimate applications: i.e., the Tor client (renamed to rundll32.exe) and the size of the file was huge. Now, most of the functionality is embedded into one file that is only ~1MB in size. The technology that was chosen for the core — Node.js — has let the malware stay undetected by most AV products months after its first appearance.
What makes the Ransom32 RaaS so scary, is that using a platform like NW.js brings us closer to the malware that could be easily run on Macs and Linux operating systems as they do on Windows. Although there does not seem to be any indication that this is being done as of yet, doing so would be trivial. We will keep monitoring Ransom32 to see how RaaS affects the ransomware market.