RAA ransomware strain evolves to target businesses

security

The RAA strain of ransomware has been tweaked to specifically target businesses, according to Kaspersky Lab.

The security firm has uncovered a new version of the troublesome JScript ransomware, after it was first spotted in June this year.

"Just like the previous one, the malware is distributed via email, but now the malicious code is hidden in a password-protected zip archive attachment," the security company said in a statement. "This measure was implemented by criminals with the intention of tricking [antivirus] solutions because the content of the protected archive [is] harder to examine."

The criminals are targeting businesses with an email about an overdue payment, saying that the attachment is password protected for "security reasons". Kaspersky said that might fool "less technical victims" into opening the folder.

Once it's opened, a text document is shown to the victim with a random set of characters. While the user puzzles over the file, RAA starts encrypting files on the machine, finishing by leaving a ransom note on the desktop.

Aside from targeting businesses, RAA has another change from the first version. It no longer needs to contact the command and control server to encrypt the files, and is instead capable of offline encryption. "This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the internet," Kaspersky Lab said.

And if that's not bad enough, RAA also leaves behind the Pony Trojan, which hoovers up passwords from email clients, so it can use your own email to spread the ransomware from your account.

"The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab.

"Primarily from the ransom that the company will pay to decrypt the data, and secondly, from new potential victims that can be targeted using the credentials gathered by the Pony Trojan."

It's worth noting that so far the RAA business update is only targeting Russian speakers. "However, it might not be long before its authors decide to go global," the company said.

To avoid becoming a victim of RAA and other business focused malware, Kaspersky suggests using "robust" endpoint security, ensuring software is up to date, and educating employees, particularly warning them to beware emails from unknown origins and to pay attention to file extensions before opening them.