跳到主体内容

New Version of RAA Ransomware Updated to Attack Business Targets

2016年9月9日

Kaspersky Lab experts have discovered a new version of the RAA ransomware, a malware written entirely on JScript.

Kaspersky Lab experts have discovered a new version of the RAA ransomware, a malware written entirely on JScript. A new trojan delivers victims with a zip archive that contains a malicious .js file. The updated version can also perform offline encryption without the need to request a key from the command server. Kaspersky Lab experts believe that by using this version of the malware, fraudsters will focus more on targeting business victims.

RAA ransomware appeared on the threat landscape in June 2016 and was the first known ransomware written entirely on JScript. In August, Kaspersky Lab experts found a new version. Just like the previous one the malware is distributed via email, but now the malicious code is hidden in a password protected zip archive attachment. This measure was implemented by criminals mainly to trick AV solutions because the content of the protected archive harder to examine.

In analyzing the emails, Kaspersky Lab experts concluded that fraudsters are targeting businesses rather than ordinary users: with malicious emails containing information about an overdue payment order from a supplier. To make the emails sound more authentic, fraudsters mentioned that due to security reasons the file attached had been protected (the password for the archive was provided at the bottom of the email) and also additionally protected with asymmetric encryption. This statement sounds ridiculous to cyber savvy users but trust worthy to gullible victims.

Further infection process looks similar to those of the previous version of RAA ransomware. The victim executes a .js file, which starts the malicious process. To distract the victim, the trojan shows a fake text document that contains a random set of characters. While the victim is trying to understand what is going on, in the background RAA is encrypting files on the machine. Finally, the ransomware creates a ransom note on the desktop and all encrypted files get a new .locked extension.

In comparison to the previous version, the key difference now is that RAA doesn’t need to communicate with the C&C server in order to encrypt files on the victim’s PC, as it did previously. Instead of requesting a master key from the C&C server, the trojan generates, encrypts and stores it on the infected machine. Cybercriminals hold the private key to decrypt the encrypted unique master key. Once the ransom is paid, criminals request the user to send them the encrypted master key, which will be returned to the victim decrypted, along with a piece of decryption software. This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the Internet.

Worse still, along with the RAA ransomware, the victim also receives the Pony Trojan. Pony is capable of stealing passwords from all email clients including corporate ones and sending them to a remote attacker. Having these passwords means that fraudsters can potentially propagate their malware on behalf of infected users, making it easier to convince the victim that the email is legitimate. From the corporate email of the victim, the malware can be spread to their entire list of business contacts. From there, fraudsters can select contacts of interest and perform targeted attacks.

“We believe that the RAA Trojan has been created to perform targeted attacks on businesses. The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money. Primarily from the ransom that the company will pay to decrypt the data and secondly from new potential victims that can be targeted using the credentials gathered by the Pony Trojan. In addition, by allowing offline encryption, the new version of RAA further increases its severity”, - Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab.

In order to mitigate the risk of infection, businesses should consider the following advice:

  • Use robust endpoint security technologies and AV solutions, making sure all ‘heuristic functions’ are enabled.
  • Educate company employees to be cyber savvy.
  • Constantly update software on company machines.
  • Regularly perform security audits.
  • Pay attention to the file extensions before opening them. Potentially dangerous ones include: .exe, .hta, .wsf, .js, etc.
  • Use common sense and be critical of all emails from unknown senders.

Currently, RAA ransomware is spreading among Russian-speaking users, given that the ransom note is in Russian. However, it might not be long before its authors decide to go global.

Kaspersky Lab products detect all known modifications of the RAA ransomware and password stealer Pony with the following detection names: Trojan-Ransom.JS.RaaCrypt, Trojan-PSW.Win32.Tepfer.

Read more about the RAA Ransomware Trojan at the blog on Securelist.com.

According to the 2016 Corporate IT security Risks Survey, 20% of businesses experienced a ransomware attack in the last 12 months. To help companies more effectively reduce the risk of ransomware infection, Kaspersky Lab has also released a free Anti-Ransomware Tool for Business.

New Version of RAA Ransomware Updated to Attack Business Targets

Kaspersky Lab experts have discovered a new version of the RAA ransomware, a malware written entirely on JScript.
Kaspersky logo

关于卡巴斯基

卡巴斯基是一家成立于1997年的全球网络安全和数字隐私公司。卡巴斯基不断将深度威胁情报和安全技术转化成创新的安全解决方案和服务,为全球的企业、关键基础设施、政府和消费者提供安全保护。公司提供全面的安全产品组合,包括领先的端点保护解决方案以及多种针对性的安全解决方案和服务,以及用于应对复杂和不断变化的数字威胁的网络免疫解决方案。全球有超过4亿用户使用卡巴斯基技术保护自己,我们还帮助全球200,000家企业客户保护最重要的东西。要了解更多详情,请访问www.kaspersky.com.cn.

相关文章 企业新闻