RAA ransomware strain evolves to target businesses

Kaspersky warns that the RAA ransomware has been tweaked to target businesses

The RAA strain of ransomware has been tweaked to specifically target businesses, according to Kaspersky Lab. 

The security firm has uncovered a new version of the troublesome JScript ransomware, after it was first spotted in June this year.

"Just like the previous one, the malware is distributed via email, but now the malicious code is hidden in a password-protected zip archive attachment," the security company said in a statement. "This measure was implemented by criminals with the intention of tricking [antivirus] solutions because the content of the protected archive [is] harder to examine."

The criminals are targeting businesses with an email about an overdue payment, saying that the attachment is password protected for "security reasons". Kaspersky said that might fool "less technical victims" into opening the folder. 

Advertisement - Article continues below
Advertisement - Article continues below

Once it's opened, a text document is shown to the victim with a random set of characters. While the user puzzles over the file, RAA starts encrypting files on the machine, finishing by leaving a ransom note on the desktop. 

Aside from targeting businesses, RAA has another change from the first version. It no longer needs to contact the command and control server to encrypt the files, and is instead capable of offline encryption. "This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the internet," Kaspersky Lab said. 

And if that's not bad enough, RAA also leaves behind the Pony Trojan, which hoovers up passwords from email clients, so it can use your own email to spread the ransomware from your account. 

"The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab.

"Primarily from the ransom that the company will pay to decrypt the data, and secondly, from new potential victims that can be targeted using the credentials gathered by the Pony Trojan."

It's worth noting that so far the RAA business update is only targeting Russian speakers. "However, it might not be long before its authors decide to go global," the company said. 

Advertisement - Article continues below

To avoid becoming a victim of RAA and other business focused malware, Kaspersky suggests using "robust" endpoint security, ensuring software is up to date, and educating employees, particularly warning them to beware emails from unknown origins and to pay attention to file extensions before opening them. 

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020

The top ten password-cracking techniques used by hackers

10 Feb 2020
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020

Coronavirus starts to take its toll on the tech industry

6 Feb 2020