Among the different components that get installed on a system infected with Ransom32, there is a Tor client responsible for the communication with the command and control server hidden in the Tor network. This is how the traffic looks in Security Analytics:
The SSL handshake between the client and the server is using a certificate with an anomalous certificate authority field. The value of the SSL CA key is a URL that starts with ‘www.’. Please note that this network behavior is not exclusive to Ransom32.
The following query can be used to detect Ransom32 network activity:
ssl.ca begins ‘www.’ && tcp.dstport = 9001