Trojan:W32/NomadSnore is distributed as an auto-extracting WINRAR archive file that uses the extension ".scr". When launched, the contents of the NomadSnore archive file are unpacked by a WINRAR script into the %temp% folder.
Once the ransomware code is run, it searches for and encrypts files of various file types (e.g. *.jpeg, *.doc. *.mp4 etc.) on the affected machine using AES-128 encryption, with CTR as block mode. It then displays an image on the desktop containing a ransom demand (payable in Bitcoins) in return for the decryption key needed to restore the affected files.