Kaspersky Lab experts have discovered a new version of the RAA ransomware, a malware written entirely on JScript. A new trojan delivers victims with a zip archive that contains a malicious .js file. The updated version can also perform offline encryption without the need to request a key from the command server. Kaspersky Lab experts believe that by using this version of the malware, fraudsters will focus more on targeting business victims.
RAA ransomware appeared on the threat landscape in June 2016 and was the first known ransomware written entirely on JScript. In August, Kaspersky Lab experts found a new version. Similar with the previous one, the malware is distributed via email, but now the malicious code is hidden in a password protected zip archive attachment. This measure was implemented by criminals mainly to trick AV solutions because the content of the protected archive is harder to examine.
In analysing the emails, Kaspersky Lab experts concluded that fraudsters are targeting businesses rather than ordinary users as the malicious emails contain information about an overdue payment order from a supplier.
To make the emails sound more authentic, fraudsters mentioned that due to security reasons, the file attached had been protected (the password for the archive was provided at the bottom of the email) and also additionally protected with asymmetric encryption. This statement sounds ridiculous to cyber savvy users but trustworthy to gullible victims.
The infection process looks similar to the previous version of RAA ransomware. The victim executes a .js file, which starts the malicious process. To distract the victim, the trojan shows a fake text document that contains a random set of characters. While the victim is trying to understand what is going on, RAA is encrypting files on the machine in the background. Finally, the ransomware creates a ransom note on the desktop and all encrypted files get a new .locked extension.
In comparison to the previous version, the key difference now is that RAA does not need to communicate with the C&C server in order to encrypt files on the victim’s PC, as it did previously. Instead of requesting for a master key from the C&C server, the trojan generates, encrypts and stores it on the infected machine.
Cybercriminals hold the private key to decrypt the encrypted unique master key. Once the ransom is paid, criminals request for the user to send them the encrypted master key, which will be returned to the victim decrypted, along with a piece of decryption software. This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the Internet.
Worse still, along with the RAA ransomware, the victim also receives the Pony Trojan. Pony is capable of stealing passwords from all email clients including corporate ones and sending them to a remote attacker. Having these passwords means that fraudsters can potentially propagate their malware on behalf of infected users, making it easier to convince the victim that the email is legitimate. From the corporate email of the victim, the malware can be spread to their entire list of business contacts. From there, fraudsters can select contacts of interest and perform targeted attacks.
“We believe that the RAA Trojan has been created to perform targeted attacks on businesses. The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money. This is primarily from the ransom that the company will pay to decrypt the data and secondly from new potential victims that can be targeted using the credentials gathered by the Pony Trojan. In addition, by allowing offline encryption, the new version of RAA further increases its severity”, Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab.
In order to mitigate the risk of infection, businesses should consider the following advice:
- Use robust endpoint security technologies and AV solutions, making sure all ‘heuristic functions’ are enabled.
- Educate company employees to be cyber savvy.
- Constantly update software on company machines.
- Regularly perform security audits.
- Pay attention to the file extensions before opening them. Potentially dangerous ones include: .exe, .hta, .wsf, .js, etc.
- Use common sense and be critical of all emails from unknown senders.
Currently, RAA ransomware is spreading among Russian-speaking users, given that the ransom note is in Russian. However, it might not be long before its authors decide to go global.
Kaspersky Lab products detect all known modifications of the RAA ransomware and password stealer Pony with the following detection names: Trojan-Ransom.JS.RaaCrypt, Trojan-PSW.Win32.Tepfer.