RAA ransomware strain evolves to target businesses

Kaspersky warns that the RAA ransomware has been tweaked to target businesses

The RAA strain of ransomware has been tweaked to specifically target businesses, according to Kaspersky Lab. 

The security firm has uncovered a new version of the troublesome JScript ransomware, after it was first spotted in June this year.

"Just like the previous one, the malware is distributed via email, but now the malicious code is hidden in a password-protected zip archive attachment," the security company said in a statement. "This measure was implemented by criminals with the intention of tricking [antivirus] solutions because the content of the protected archive [is] harder to examine."

Advertisement - Article continues below

The criminals are targeting businesses with an email about an overdue payment, saying that the attachment is password protected for "security reasons". Kaspersky said that might fool "less technical victims" into opening the folder. 

Once it's opened, a text document is shown to the victim with a random set of characters. While the user puzzles over the file, RAA starts encrypting files on the machine, finishing by leaving a ransom note on the desktop. 

Aside from targeting businesses, RAA has another change from the first version. It no longer needs to contact the command and control server to encrypt the files, and is instead capable of offline encryption. "This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the internet," Kaspersky Lab said. 

Advertisement - Article continues below

And if that's not bad enough, RAA also leaves behind the Pony Trojan, which hoovers up passwords from email clients, so it can use your own email to spread the ransomware from your account. 

Advertisement - Article continues below

"The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab.

"Primarily from the ransom that the company will pay to decrypt the data, and secondly, from new potential victims that can be targeted using the credentials gathered by the Pony Trojan."

It's worth noting that so far the RAA business update is only targeting Russian speakers. "However, it might not be long before its authors decide to go global," the company said. 

To avoid becoming a victim of RAA and other business focused malware, Kaspersky suggests using "robust" endpoint security, ensuring software is up to date, and educating employees, particularly warning them to beware emails from unknown origins and to pay attention to file extensions before opening them. 

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

Is it time to put Intel Outside?

10 Jul 2020