After the sign up, the users get access to basic admin page that enabled them to see how many systems are infected; observe how much money has been collected; and tweak various settings for the ransomware. These include how much BTC to request from victims, and whether to completely lock the computer or allow a victim to minimize the lock screen, giving them the ability to check whether their files are fully encrypted or not. Ransom32 is a 22MB self-extracting RAR file, which weighs in at over 67MB when extracted. Once run, the executable creates a shortcut, ChromeService, which points to a chrome.exe package.
The files extracted into the Chome Browser folder are:
chrome – The Chromium license agreement.
chrome.exe – This is the main executable for the malware and is a packaged NW.js application bundled with Chromium.
ffmpegsumo.dll – HTML5 video decoder DLL that is bundled with Chromium.
g – The settings file that contains various information used by the malware. This information includes the affiliate’s ransom amount, bitcoin address that they receive payments on, and error message that is shown in a messagebox if the Show a message Box setting was enabled.
icudtl.dat – File used by Chromium
locales – Folder containing various language packs used by Chrome.
msgbox.vbs – The messagebox displayed if the affiliate enabled the Show a message Box setting.
nw.pak – Required for the NW.JS platform.
rundll32.exe – Renamed TOR executable so that the malware can communicate with the TOR Command and Control server.
s.exe – Renamed Shortcut.exe from OptimumX. This is a legitimate program used by the malware to create the ChromeService shortcut in the Startup folder.
u.vbs – A VBS script that deletes a specified folder and its contents.