Ransom32, the ransomware as a service for hackers

A new ransomware, called Ransom32, appeared recently. When this type of malware infects a machine, it encrypts the data on the hard disk. In the vast majority of cases, the only way of recovering the data is to pay a ransom to the hackers who control the ransomware.

In principle, classic malware…

This type of malware is referred to as “Ransomware as a Service” (RaaS), a name derived from the term “Software as a Service”.

The hackers offer other wrongdoers a piece of malware and an infrastructure of Command & Control servers which is already in existence. An individual wishing to use the service simply needs to download the malware and distribute it with his own phishing campaign. If victims whose machines are infected pay the ransom, the funds go directly to the original administrators of the malware, who then pass on a percentage to the pirates who infected the machines.

Ransom32 resembles the latest ransomwares to appear in recent months, such as Tox, Fakben or Radamant. Indeed, the procedure is somewhat similar. The hacker must first log-on to the site from the Tor network. The homepage asks for a Bitcoin address to which a percentage of the ransoms received by the site administrators will be paid.


The following page shows a basic administrative box which is used to configure part of the malware. The box shows us that the amount of the ransom demanded from the victim, and the error message that will be displayed, can be modified at will. As the infection spreads, the hacker can also see the number of victims who have paid up or the number of machines compromised.


… but not as classic as that

Unlike the other ransomwares mentioned above, Ransom32 is entirely coded in Javascript, HTML and CSS. The fact that these languages were used means that, with minor modifications, it could be deployed indifferently on Mac, Linux and Windows operating systems. This significantly increases its ability to infect. However, the cybersecurity researchers who uncovered Ransom32 do not believe that the authors of the malware have yet applied those modifications.


As Renaud Bidou said at BotConf 2015, coding malware in Javascript offers the advantage of being able to use a browser as its host. This gives access to all of the typical malware functionalities, such as keystroke logging or image capture, but with greater agility. Javascript is thus destined to be more and more widely used.


Furthermore, the appearance of a new Ransomware as a Service marks a trend for hackers to offer turnkey services to their peers. The advent of hacking software that requires no effort has made life easier for the hackers known as “script kiddies”. Similarly, infrastructures which make extortion operations easy to carry out bring a risk that a new breed of hacker will emerge, young and inexperienced, but avid for profit and indulging in activities controlled by high-level cybercriminals. Note, however, that there is no proof that those high-level crooks actually pay a percentage to the hackers who propagate Ransom32. In the world of the Dark Web, the criminal can quickly become a victim…