Emsisoft’s Fabian Wosar writes here that embedded in a self-extracting WinRAR archive is an NW.js-packaged application that does the heavy lifting for the ransomware.
Because NW.js is a legitimate framework, it’s also hard to fit into signature-based malware detection (the company makes the usual observation that unlike everyone else, it can protect users against this attack).
While Wosar’s only seen Ransom32 as a Windows attack vector, NW.js would theoretically let the nastyware get packaged up for Mac OS X and Linux systems.
In the copy Emsisoft analyzed, once Ransom32 was installed and launched, it connected to a command-and-control server on Tor, negotiated the Bitcoin address victims are supposed to pay to recover their files, and displayed its ransom note:
The encryption it uses is AES with a 128-bit key.