What is Ransom32?

Ransom32 is a new and quite unique ransomware Trojan malware infection that is probably one of the most dangerous threats that can hit your computer right now. This Trojan exhibits a couple of traits that make it a dangerously unique infection, namely, first time in the life of ransomware, JavaScript is used to encrypt your personal files and to display the ransom note or lock screen instructions. Another factor here is that this ransomware is actually offered as a service on the Tor network, i.e., it can be customized by the individual schemer who signs up for creating a copy of this threat. Therefore, this Trojan can behave in a number of different ways. Although right now it has only been reported to infect the Windows operating system, according to our researchers at Anti-Spyware-101.com, it is quite likely that this ransomware will be able to affect Linux and Mac OS X systems as well. Once this serious infection finds a way to your system, there is no stopping it, your most important files will be encrypted and become inaccessible and useless unless you pay the ransom fee. We can offer you a manual way to remove Ransom32, but you need to understand that your files will not be decrypted just because you clean your PC of this infection.testtesttest

Where does Ransom32 come from?

Since there can be a number of versions out there already, it is hard to predict how you will be infected. The criminals who sign up for a copy of this beast can decide to spread it in a couple of ways. We can share with you what the major distribution methods may be with regard to this Trojan. This will also give you a chance to understand how you can actually protect your computer from similar attacks. The number one method is usually spam e-mails. There are three major problems and vulnerabilities regarding spam e-mails. First, a spam may hide a malicious code that can run the moment you open the mail. This way you infect your system right away without even noticing that a Trojan or other malware infections dropped onto your computer. Second, malicious links may be inserted into the body of the spam mail, which will try to draw your attention and trick you into clicking on them. Again, one click is enough and your computer will be infected with this Trojan or other threats. Third, probably the most frequent way to fool unsuspecting and inexperienced computer users is the use of infected attachments, which can be an image, video, PDF, or Word document file.

It is quite possible that your spam filter will not weed out these e-mails because criminals constantly improve their techniques and now they can use official-looking senders or even anyone from your own contact list as the sender of the malicious spam e-mail. This way it is more likely that you will actually open the mail. Therefore, the lesson here is very simple. You need to be extra careful when going through your inbox and clicking on mails, let alone attachments. We recommend that you only click on links and attachments in a mail when you are sure they were meant for you.

Another common method for Trojans to spread over the net is via malicious software installers mainly promoted in bundles. You can end up with such bundles if you visit shady websites, such as pornographic, freeware, and torrent sites. Clicking on any content on these sites may result in downloading an infectious package that may contain Ransom32 among other malware threats. It is also possible that your computer has already been attacked by an adware application, for example. In this case, you may be shown unsafe third-party pop-up ads, which may also trigger the download of such a bundle, should you click on them. There are two things you can do to prevent these scenarios from happening. First, you need to avoid visiting such websites altogether and stop clicking on third-party ads. Second, you can download and install an up-to-date antimalware program that can protect your PC from any malware known today.

How does Ransom32 work?

This Trojan seems to arrive in a file named client.scr. This is the file that the criminals can download once they finish customizing their copy of this ransomware. When this file is activated, it self-extracts to the %temp% directory. It is actually a WinRAR file that contains a number of files that perform different tasks for this ransomware. For example, you will find chrome.exe, which is the NW.js application that is really the malicious JavaScript code itself, nw.pak, locales, ffmpegsumo.dll, and icudtl.dat, which are needed for the NW.js framework to work, rundll32.exe, s.exe, and a few others. The NW.js (nwjs.io) is a cross-platform framework due to the JavaScript and HTML used, and that is exactly why there is a possibility that this Trojan will soon appear on other operating systems as well.

After self-extracting to the temp directory, the files are copied to the %AppData%\Chrome Browser folder and a start up link is also created at %AppData%\Microsoft\Windows\Start Menu\Programs\Startup called ChromeService.lnk to make sure that this ransomware starts up every time you restart your system. After all the preparations, the encryption of your personal files commences. This Trojan can encrypt a great number of file extensions, including .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .avi, .mov, .mp4, .3gp, .mpeg, .3dm, .max, .accdb, .db, .php, .asp, .java, .jar, .class, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .ppt, .pps, .wav, .mp3, .aif, .iff, .m3u, .m4u, .psd, .indd, and .fla.

Depending on the settings, when the encryption is done, you will see the lock screen or ransom note that contains information about the payment method and how to use Bitcoins as well as the deadline and an opportunity to decrypt one of your files. You have 4 days to transfer the money, or else the amount will increase. After 7 days your decryption key will be deleted, which means that you will never be able to recover your files. Although it may be tempting to pay the ransom fee, we would ask you to consider the fact that your money will land in cyber criminals’ pocket. Chances are you will never see your files anyway. Therefore, we advise you to remember to always do backups of your files on an external drive, which can easily be copied back to your hard drive once you have cleaned your computer of all the infections and the useless, encrypted files.

How do I delete Ransom32?

As a matter of fact, you can manually remove Ransom32, and we have included the necessary steps below. However, please use these instructions only if you are confident and consider yourself an experienced computer user. The slightest mistake might cause irreversible damage to your operating system, so please use these instructions carefully and at your own risk. Obviously, you can always use a professional automated malware removal tool that not only will delete Ransom32 and all other malware infections that may be present, but it will also safeguard your computer from future invasions. Keep all your programs updated in order to decrease your system’s vulnerability and help your security tool to do its job at the highest possible level.

Remove Ransom32 from Windows

  1. Press Win+E to start up Windows File Explorer.
  2. In the address bar, type in: “%AppData%\Chrome Browser”. Press Enter.
  3. Remove the Chrome Browser folder.
  4. In the address bar, type in: "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup." Press Enter.
  5. Find ChromeService.lnk and delete it.
  6. Right-click on the Recycle Bin on your desktop and choose the Empty Recycle Bin option.
  7. Click Yes.
  8. Restart your computer in Normal Mode.
100% FREE spyware scan and
tested removal of Ransom32*

Leave a Comment

Enter the numbers in the box to the right *