New Ransomware – RAA

Email Us - 877.583.2841 - Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

  • This field is for validation purposes and should be left unchanged.

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

  • This field is for validation purposes and should be left unchanged.

New Ransomware – RAA

This is a security alert for all TruShield clients, the financial services industry, and the community as a whole. We have learned of a new ransomware known as RAA. This ransomware infects computers and encrypts files using Javascript.

About RAA

RAA ransomware is written entirely in Javascript. The ransomware is delivered using a standard JS file and not through an executable, like the other ransomware. The RAA ransomware uses AES encryption to encrypt files and utilizes CryptoJS library for the process. To distribute this ransomware, the malicious actors use email to attach files that are hoax doc files. Once the file is opened, it encrypts the computer, and a ransom is demanded to get the files which are typical of ransomware. The amount requested is about $250 USD. This malware not only demands a ransom but also installs Pony, the malware that steals passwords, onto the victim’s computer embedded in the JavaScript file.

How it works

According to Bleeping Computers, after getting an email with the RAA Ransomware JS file and double clicking on the attachment within the email, a fake word document will be generated in %MyDocument% folder. The name of the document will be similar to doc_attached_CnIj4, and it opens up to trick victims into believing that the attachment they received is corrupted. In the background, the RAA ransomware will check if the victim’s computer has write access and if it does then it will use AES encryption to encrypt the different files utilizing code from CryptoJS library. Once the file is encrypted it will add .locked after the extension of the file and the targeted files are: .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv.

The ransomware does omit some of the files from encryption that contain .locked, ~, and $ or is in these folders: Program Files, Program Files (x86), Windows, Recycle.Bin, Recycler, AppData, Temp, ProgramData, Microsoft. The Windows Volume Shadow Copy Service (VSS) is deleted to prevent the recovery of files from there. The final step is the ransom note created on the desktop. The JS file will execute every time the victim logs into Windows because the autorun feature is on.

The developers of this ransomware converted the Pony malware into base64 encoded and this also executes every time a new session begins. Pony malware is used to steal password and information from a computer. Malicious actors used it to gain intelligence of the system they infected and is usually associated with banking Trojans, but in this case, it wasn’t for RAA. According to Bleeping Computers RAA is currently undecryptable.

Conclusion

This is not the first malware to use javascript, but it uses it in its entirety. Although this malware is new, this will probably be the future of ransomware, and that’s because it is easier and simpler to create. Since it is obscured, this makes it harder to detect by security software. This type of ransomware will continue to develop gradually to become the go-to technique.

Mitigation

  • Disable windows scripting host
  • Avoid open emails from unknown sources
  • Avoid clicking attachment from unknown sources
  • Practice backing up important files
  • Actively monitor activities
  • Block JS file attachments

References:

http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-e ntirely-using-javascript/

https://community.spiceworks.com/topic/1664347-heads-up-raa-ransomware-written-entirely-in-javascript-and-bundled-with-pony

https://threatpost.com/raa-ransomware-composed-entirely-of-javascript/118641/

http://news.softpedia.com/news/raa-ransomware-is-100-percent-javascript-505228.shtml

http://www.informationsecuritybuzz.com/hacker-news/new-raa-ransomware-uses-javascript/

 

Download the PDF Version

Leave a reply

Copyright © 2016