A new ransomware has been discovered recently and among its distinguishing characteristics is the fact that it pretends to be Google’s Chrome browser. It was first analyzed by Emsisoft, which named it Ransom32.
It works in the form of ‘Ransomware as a Service’ (RaaS) from a hidden server in the Tor network. Cyber criminals can choose what malware will infect the victim, how many bitcoins it will ask for and what threatening messages it will show in the screen. They can also see statistics on how many users were infected and how many of them actually paid.
Once Ransom32 installs itself on the system and is executed, it will unpack all of its malicious files in the temporary files folder and make sure it’s executed on every boot. The malicious file, chrome.exe, disguises itself as the popular Chrome web browser.
The extensions targeted for encryption are over a hundred, and among them are the most frequent ones used for text and images files like .TXT, .DOC, .JPG, .GIF, .AVI, .MOV, and .MP4.
Another detail worth mentioning that differentiates Ransom32 from other similar threats is that its size is around 45 MB, which is odd as ransomware is usually smaller. Nonetheless, this makes sense because it pretends to be a web browser.