RAA ransomware discovered

Security researchers have discovered a new ransomware known as ‘RAA.’ RAA impersonates a regular email (.JS) file attachment and is made entirely from Javascript rather than an executable file – like ‘Ransom32’, making it more effective depending on the situation.

What Happens:

The RAA attachment pretends to be a doc file with names like ‘mgJaXnwanx1S_doc_.js’ and once the attachment is opened, Windows will execute the program associated with Javascript files by default – ‘Windows Script Host’ or ‘wscript.exe’ – to generate a fake word document. This serves to fool the victim into assuming the attachment was corrupted whilst RAA scans all available drives in the background.

PERSONALIDS

To the victim, the opened RAA attachment doesn’t appear to do anything but it downloads the ‘Pony’ malware in the background – the password stealing Trojan. Additionally, the ‘Windows Volume Shadow Copy’ will be deleted by RAA so that encrypted files cannot be recovered whilst RAA continues to run in parallel to Windows – capturing as much additional information as possible.

Javascript as ransomware:

Standard Javascript implementations by default don’t possess advanced cryptographic functions, but the creators have used the ‘CryptoJS library’ to substitute the lack of cryptography – enabling the victim’s files to be locked using AES encryption.

The solution:

There is currently no way to decrypt the already encrypted files – without paying – but there are multiple methods users can employ to prevent an infection from happening in the first place:

  1. RAA Specific – When .JS files are executed outside of browsers an interpreter is needed to read and execute commands within it. Most individuals do not need to execute Javascript outside of browsers, hence it is suggested the ‘Windows Script Host’ is disabled so these types of files cannot be executed – please note Javascript can still run within the browser.
  2. Ensuring email security – SSL247® now offers email security.cloud protection, which provides you always-on, inbound and outbound messaging security against email viruses with a 99% spam capture rate. The solution is powered by Symantec’s Global Intelligence Network – one of the largest global security research networks – and protects against malware, spam, content filtering, phishing, and targeted attacks.

See article source here

For more information or if you have any questions, do not hesitate to contact our accredited experts for your FREE consultation:

null  0203 143 4120
null  sales@ssl247.co.uk

Share this:

Posted on Thursday 30 June 2016 by Antony Fung

Return to blog

Send us your comments


Your comment will not be published. If you have a question, do not forget to write your email address so that we can get back to you!