OREANDA-NEWS. September 12, 2016. Kaspersky Lab announced today its experts have discovered a new version of the RAA ransomware, a malware written entirely on JScript. The new Trojan delivers victims with a zip archive that contains a malicious .js file. The updated version can also perform offline encryption without the need to request a key from the command server. Kaspersky Lab experts believe that cybercriminals are using this version of the malware to target businesses.

RAA ransomware appeared on the threat landscape in June 2016, and it was the first known ransomware written entirely on JScript. In August 2016, Kaspersky Lab experts found a new version. Like the previous version, this malware is distributed via email, but now the malicious code is hidden in a password protected zip archive attachment. This measure was implemented by criminals mainly to trick AV solutions because the content of the protected archive is harder to examine.

In analyzing the emails, Kaspersky Lab experts concluded that fraudsters are targeting businesses rather than ordinary users as the malicious emails contain information about an overdue payment order from a supplier. To make the emails sound more authentic, the fraudsters mentioned that due to security reasons the attached file was password protected (the password for the archive was provided at the bottom of the email) and also additionally protected with asymmetric encryption. This statement may sound ridiculous to cyber savvy users but trustworthy to unsuspecting victims.

The infection process looks similar to those of the previous version of RAA ransomware. The victim executes a .js file, which starts the malicious process. To distract the victim, the Trojan shows a fake text document that contains a random set of characters. While the victim is trying to understand what is going on, in the background RAA is encrypting files on the machine. Finally, the ransomware creates a ransom note on the desktop and all encrypted files get a new .locked extension.

In comparison to the previous version, the key difference now is that RAA doesn’t need to communicate with the C&C server in order to encrypt files on the victim’s PC, as it did previously. Instead of requesting a master key from the C&C server, the Trojan generates, encrypts and stores it on the infected machine. Cybercriminals hold the private key to decrypt the encrypted unique master key. Once the ransom is paid, the cybercriminals request the user to send them the encrypted master key, which will be returned to the victim decrypted, along with a piece of decryption software. This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the Internet.

Along with the RAA ransomware, the victim also receives the Pony Trojan. Pony is capable of stealing passwords from all email clients including corporate ones and sending them to a remote attacker. Having these passwords means that fraudsters can potentially propagate their malware on behalf of infected users, making it easier to convince the victim that the email is legitimate. From the corporate email of the victim, the malware can be spread to their entire list of business contacts. Once this occurs, the cybercriminals can select contacts of interest and perform targeted attacks.

“We believe that the RAA Trojan has been created to perform targeted attacks on businesses, said Fedor Sinitsyn, senior malware analyst, Kaspersky Lab. “The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money. This is primarily from the ransom that the company will pay to decrypt the data and secondly from new potential victims that can be targeted using the credentials gathered by the Pony Trojan. In addition, by allowing offline encryption, the new version of RAA further increases its severity.”

In order to mitigate the risk of infection, businesses should consider the following advice:

  • Use robust endpoint security technologies and AV solutions, making sure all ‘heuristic functions’ are enabled
  • Educate company employees how to be cyber savvy
  • Keep software updated on company machines
  • Regularly perform security audits
  • Pay attention to the file extensions before opening them. Potentially dangerous ones include: .exe, .hta, .wsf, .js, etc.
  • Use common sense and be critical of all emails from unknown senders

Currently, RAA ransomware is spreading among Russian-speaking users, given that the ransom note is in Russian; however, it might not be long before its authors decide to go global.

Kaspersky Lab products detect all known modifications of the RAA ransomware and password stealer Pony with the following detection names: Trojan-Ransom.JS.RaaCrypt, Trojan-PSW.Win32.Tepfer.

Read more about the RAA Ransomware Trojan on Securelist.com.

According to the 2016 Corporate IT security Risks Survey, 20 percent of businesses experienced a ransomware attack in the last 12 months. To help companies more effectively reduce the risk of ransomware infection, Kaspersky Lab has also released a free Anti-Ransomware Tool for Business.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company founded in 1997. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.