RAA Ransomware Tweaked to Attack Businesses

A new variant of RAA ransomware has been discovered by Kaspersky Lab. The new RAA ransomware variant has been developed to make it more effective against businesses.

RAA ransomware was first discovered in June. The ransomware was also discovered to incorporate Pony; an information stealing Trojan. However, the hackers responsible for developing RAA ransomware have been working on making the file-encrypting, information stealing malware more effective.

The new variant – called Trojan-Ransom.JS.RaaCrypt.ag – contains a number of new functions that make it far more effective at attacking businesses.

The primary method of delivery is the same as RAA1. The ransomware is delivered to end users via email. However, in order to bypass spam filers, the latest version of the ransomware is sent in a password-protected zip archive. Most anti-malware solutions do not scan password protected files.

The original form of RAA ransomware was written in JavaScript, although the authors have chosen Jscript for the latest variant. Whereas the previous version of the ransomware required contact with a command and control server, the new version is able to encrypt files without any Internet connection. It is no longer necessary for the ransomware to contact a C2C to obtain an encryption key.

Kaspersky Lab researchers discovered the new variant in August, approximately 2 months after the first version of the ransomware was identified. The latest version is being used to target corporate employees. So far the attacks have mainly been conducted in Russian speaking countries.

The ransomware is sent attached to spear phishing emails. The emails attempt to convince the user that they have failed to pay an invoice. They are threatened with litigation if payment is not made. This is a common tactic used by email scammers to convey a sense of urgency and get the target to open an infected email attachment.

In order to open the file attachment, the user is required to enter a password. The recipient is informed that security regulations require the file to be password-protected. The recipient can open the file by entering in the password 111. Opening the zip file and unpacking the contents will result in the ransomware being installed on the victim’s computer. An RTF file is also opened on the infected device. However, while the end user reads the contents of that file, the ransomware is active and encrypting files.

Once files have been encrypted the victim is presented with the ransom note. No specific demand is made for payment. The victim is required to contact the attackers to find out how payment must be made and how much the decryption keys will cost.

This presumably allows the attackers to set the ransom after further information has been gathered on the user. Information is gathered using the Pony info-stealing component. This component also allows the attackers to steal sensitive data from the victim, and will also help the attackers gain access to the victim’s email account. It has been hypothesized that email access will be used to send out the ransomware to the victim’s contacts, and by doing so, will increase the probability of more computers being infected.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news