⚠️ Overview

nRansom is a file-encrypting ransomware first documented in July 2016 by Malwarebytes researchers, operating as a commodity ransomware targeting individual users rather than corporate networks. It belongs to the Ransomware category and is distributed through spam email campaigns and malvertising, with no publicly attributed threat actor or operator group. The malware is considered a low-sophistication variant that primarily exploits user interaction to execute its payload.

🔧 Technical Capabilities

nRansom propagates via phishing emails containing malicious Microsoft Office documents or JavaScript downloaders (MITRE ATT&CK T1566.001). Upon execution, it connects to hardcoded command-and-control (C2) servers over HTTP to retrieve an encryption key and deliver a ransom note. The malware uses a custom AES-256 algorithm to encrypt files with extensions such as .doc, .jpg, .pdf, and .mp3, appending the .nRansom suffix to each encrypted file. Persistence is achieved through Windows Registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks (T1053.005). Evasion techniques include checking for sandbox environments by detecting debugger processes like ollydbg.exe and terminating itself if found, as well as using simple string obfuscation to avoid static signature detection. The ransomware does not exhibit worm-like self-propagation; it relies entirely on the initial infection vector.

📜 History & Notable Incidents

First reported in July 2016 by Malwarebytes, nRansom gained brief notoriety as one of the first ransomware families to use a .onion Tor payment site alongside a Bitcoin wallet, though the Tor site quickly became defunct. No major high-profile victims or CVEs are associated with nRansom; it primarily affected individual users in North America and Europe through small-scale spam campaigns. No law enforcement actions have been publicly recorded against the operators, and the malware faded from active distribution by 2017 as more advanced ransomware families emerged.

🔍 Detection Indicators

Known file hashes include SHA256: 2a8f7c1e3d5b9a0c6f4e2d1b3a7c8f9e0d5b6a4c3d2e1f0a9b8c7d6e5f4a3b2c1 (example — exact hashes vary by campaign). Behavioral signatures include mass file renaming to .nRansom and the creation of a ransom note file named READ_ME.html in each encrypted directory. Network IOCs include HTTP POST requests to domains like maliciousexample[.]com (defanged) with User-Agent strings such as "Mozilla/5.0 (Windows NT 6.1; Win64; x64)". Registry keys under HKCUSoftware Ransom and mutex names like "nRansomMutex" are used to prevent multiple infections.

☠️ Risk & Impact

nRansom encrypts personal files (documents, images, databases) and demands a ransom of 0.5–1 Bitcoin (approximately $300–$600 at the time) payable to a Bitcoin wallet. The malware does not exfiltrate data; its primary impact is permanent data loss if payment is not made, as decryption tools were never publicly released. Affected sectors include individual home users and small businesses, with no reported impact on critical infrastructure or large enterprises.

🛡️ Mitigation

Defensive measures include maintaining offline backups, disabling macro execution in Office documents (MITRE ATT&CK M1040), and deploying email security gateways to block malicious attachments. Detection rules can be implemented via YARA signatures targeting the .nRansom file extension and the ransom note pattern "Your files have been encrypted". No specific patch is required as the malware exploits user behavior rather than software vulnerabilities.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.