• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Threats

The Return of Ransom32

Author avatar of Artsiom HolubArtsiom Holub
Updated — March 4, 2020 • 5 minute read
View blog >

The Ransom32’s Origin

If you keep an eye on ransomware threats or the RaaS (ransomware as a service) market, you most likely have already heard about Ransom32, the first JavaScript ransomware. Emisoft provides a good description of the first version of it here and Malwarebytes gives some implementation details of the malicious package here. At first glance this particular threat doesn’t look scary at all. You have to find a way to deliver a malware file larger than 22 MB malware, whereas most ransomware variants rarely exceed 1 MB in size.
I needed a piece of malware to analyze for a malware analysis class I started recently, I decided to use Ransom32. After some time spent to locate the .onion site in the Tor network, and to register a Bitcoin wallet, I finally got to the client download section. At this point, I noticed that the client menu had new options:
Screen Shot 2016-02-16 at 11.12.57 AM

  • Bundle Tor client – The author offers to include the tor client in the package, which looks less suspicious for AV. This increases package size by 1.3 MB. The first version had a built-in Tor client by default.
  • Bundle pluggable transport – This spoofs the connection so it seems to be connecting to a public Clearnet. The option increases the client size by 1.2 MB.
  • Relay server – This offers a package that will have server and client side, which makes it a lot easier to deliver and monetize. The client has the smallest size of all options. The victim will download ransomware from the server that you need to set up. The downside is obvious: you have to set up a server somewhere else with a 24/7 runtime.

What’s Inside

I have two versions of the client. The first one has “Bundle pluggable transport”  enabled. The second one is a default version. The difference in package size is significant. The very first client was about 22 MB. The current are 1.06 MB and 3.31 MB. This indicates that the ransomware author listens to his customers. Decreasing the size and redesigning the package makes it a lot easier to use for malicious purposes.Screen Shot 2016-02-16 at 1.42.07 PM
The main part of the unpacked content consists of the following files:
Screen Shot 2016-02-16 at 1.55.44 PM
The client with the enabled “Bundle pluggable transport” feature has two extra DLLs, that are responsible for its functionality.Screen Shot 2016-02-16 at 1.57.44 PM
This feature is an implementation of meek, which is an obfuscation layer for Tor designed to evade Internet censorship. Traffic is relayed through a third-party server that is hard to block, a ​CDN for example. It uses a trick called ​domain fronting to communicate with a Tor relay while appearing to talk to another domain.
The rest of the files within the archive have the following purposes:

  • dotNetFx40_Full_setup.exe – The Microsoft .NET Framework 4 web installer package downloads and installs the .NET Framework components required to run on the target machine architecture and OS. So apparently this ransomware requires .NET framework 4 for normal functionality. This also means that without an Internet connection, encryption could not be performed. However, it’s not a legit version of the framework, but a repacked one. It modifies regular functions and supports ransomware operations. The original name: Boxstub.exe[SHA1:06BECADB92A5FCCA2529C0B93687C2A0C6D0D610]. It has been seen in different malware packages .Screen Shot 2016-02-16 at 2.57.18 PM
  • StartMenu.dll – contains data that are required by the NW.js framework to function properly.
  • Tozpac.exe – is a packaged NW.js application and contains the actual malware code, as well as the framework required to run the malware. It implements the entire process of encrypting files, as well as handles all of the network negotiations.
  • Tozpac.exe.config – contains the malware’s configuration information. Screen Shot 2016-02-16 at 3.03.33 PM

Encryption Process

Before encrypting your data, Ransom32 will first launch dotNetFx40_Full_setup.exe. Afterward, it triggers Tozpac.exe, which will encrypt them using AES encryption. One thing that I noticed is Tozpac.exe imports mscoree.dll to do the encryption. And this means that most of the functionality that was built-in before, is now imported using Windows DLLs:Screen Shot 2016-02-16 at 4.15.58 PMFor example, to initiate Remote Procedure Call it’s using rpcrt4.dll. For encryption, it’s using crypt32.dll.
Using some dynamic analysis tricks we were able to find the attack extensions:

aaf, .accdb, .aep, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bbrksave,
.bejeweled2deluxesavedgame, .blasterball3savedgame, .bmp, .c, .chesstitanssave-ms,
.chuzzledeluxesavedgame, .civ4savedgame, .civ4worldbuildersave, .class,
.comfycakessave-ms, .cpp, .cs, .csv, .dat, .db, .dbf, .ddpokersave,
.dinerdashsavedgame, .dna.xml,.doc, .docm, .docx, .dot, .dotm, .dotx, .dplsave,
.dsasave, .dsqsave, .dssave, .dwg, .dxf,
.efx, .egwarsave, .emlx, .eps, .fatesavedgame, .fla, .flv, .freecellsave-ms, .game, .games, .
gif, .h, .heartssave-ms, .iff, .indd, .inx, .jar, .java, .jpeg, .jpg, .lssave, .m3u, .m3u8, .m4u,
.mahjongtitanssave-ms,.max, .mdb, .mid, .minesweepersave-ms,
.mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .3dm, .3g2, .3gp, .pdb, .pdf, .php, .plb,
.pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel,
.prproj, .ps, .psd, .pspautosave, .purblepairssave-ms, .purbleshopsave-ms, .ra, .raw,
.rb, .rtf, .sacred2save, .sav, .savage, .save, .savedgame, .savedsearch, .saver, .savgao,
.savings, .sdf, .ses, .sgsav, .solitairesave-ms, .spidersolitairesave-ms, .spv, .sql, .sv5,
.svg, .swf, .thewitchersave, .tif, .txt, .vcf, .vob, .wagame, .wav, .wma, .wmv, .wpd, .wps,
.wsave, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml

Once it has finished encrypting your data, it will display the Ransom32 ransom lock screen/ransom note as shown below.

Screen Shot 2016-02-16 at 4.51.33 PM

Obfuscation via Node.js

It has been two months since I first saw Ransom32. At that time, it looked like the malware author cared mostly about the ability to imitate legitimate applications for the purpose of avoiding detection. However, as we can see, even the RaaS market is competitive. And as such, it seems to have forced the Ransom32 author to redesign his product.  Before, there were a number of various elements, including legitimate applications: i.e., the Tor client (renamed to rundll32.exe) and the size of the file was huge. Now, most of the functionality is embedded into one file that is only ~1MB in size. The technology that was chosen for the core — Node.js — has let the malware stay undetected by most AV products months after its first appearance.
Screen Shot 2016-02-16 at 4.44.53 PM
What makes the Ransom32 RaaS so scary, is that using a platform like NW.js brings us closer to the malware that could be easily run on Macs and Linux operating systems as they do on Windows. Although there does not seem to be any indication that this is being done as of yet, doing so would be trivial. We will keep monitoring Ransom32 to see how RaaS affects the ransomware market.

Suggested Blogs

  • Cybersecurity Threat Spotlight: Emotet, RedLine Stealer, and Magnat Backdoor February 3, 2022 5 minute read
  • Using DNS-layer security to detect and prevent ransomware attacks August 12, 2021 6 minute read
  • The cost of ransomware attacks: Why and how you should protect your data August 10, 2021 4 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella