New version of RAA ransomware spotted, targets business users

The new version no longer needs to be connected to the internet to encrypt files.

A new version of the RAA ransomware was found recently by security researchers at Kaspersky Lab. This one, written completely in Jscript, seems to be targeting business users exclusively, the researchers claim.  

It comes as they all do – through an email with the malicious attachment. This one, however, comes in a password-protected .zip file. This method does two things:  

1) Makes it harder for anti-virus software to recognize the malware
2) Makes it seem more legitimate to the victims 

The email usually says something about 'overdue payment order from a supplier', to trick the victim into opening the attachment.  The second biggest change in this new version is that the victim's machine no longer needs to be online to be encrypted – all files can be locked while offline, as the malware does not need to communicate with its server.  

Once the malicious file is run, it starts encrypting files, while simultaneously showing a text document with random characters to confuse the victim. Before realising what's going on, the files get encrypted.  

The malicious attachment also installs the Pony Trojan, which steals all email passwords. Hackers can then use the victim's accounts to further spread the malware. 

“We believe that the RAA Trojan has been created to perform targeted attacks on businesses. The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money. Primarily from the ransom that the company will pay to decrypt the data, and secondly, from new potential victims that can be targeted using the credentials gathered by the Pony Trojan. In addition, by allowing offline encryption, the new version of RAA further increases its severity”, said Fedor Sinitsyn, Senior Malware Analyst at Kaspersky Lab.

Image Credit: Christiaan Colen / Flickr