Ransomware-as-a-Service has become a popular model amongst cybercriminals. The way this one works is anyone can access theit darkweb TOR site, register with a Bitcoin address, then customize and download their own version of the malware. The original developers take a 25% cut of any ransom collected, the rest goes to their criminal affiliate. Affiliates have a console available where they can view statistics and update settings on their personal ransomware campaign.
Affiliates can choose how to distribute Ransom32, whether through spray and pray phishing campaigns, more targeted spear phishing, malvertising, manually hacking linux servers or brute forcing terminal servers.
Because NW.js is actually a legitimate framework and application files can be encrypted quietly and the malware package is more difficult to detect. Ransom32 only encrypts certain file extensions using AES encryption, but it will use extensions like .*sav* that will encrypt all files containing that string.
At the time there is no known decryption for Ransom32 but we will update this page if one becomes available.