RAA ransomware strain evolves to target businesses

Kaspersky warns that the RAA ransomware has been tweaked to target businesses

The RAA strain of ransomware has been tweaked to specifically target businesses, according to Kaspersky Lab. 

The security firm has uncovered a new version of the troublesome JScript ransomware, after it was first spotted in June this year.

"Just like the previous one, the malware is distributed via email, but now the malicious code is hidden in a password-protected zip archive attachment," the security company said in a statement. "This measure was implemented by criminals with the intention of tricking [antivirus] solutions because the content of the protected archive [is] harder to examine."

The criminals are targeting businesses with an email about an overdue payment, saying that the attachment is password protected for "security reasons". Kaspersky said that might fool "less technical victims" into opening the folder. 

Advertisement - Article continues below
Advertisement - Article continues below

Once it's opened, a text document is shown to the victim with a random set of characters. While the user puzzles over the file, RAA starts encrypting files on the machine, finishing by leaving a ransom note on the desktop. 

Aside from targeting businesses, RAA has another change from the first version. It no longer needs to contact the command and control server to encrypt the files, and is instead capable of offline encryption. "This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the internet," Kaspersky Lab said. 

And if that's not bad enough, RAA also leaves behind the Pony Trojan, which hoovers up passwords from email clients, so it can use your own email to spread the ransomware from your account. 

"The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab.

"Primarily from the ransom that the company will pay to decrypt the data, and secondly, from new potential victims that can be targeted using the credentials gathered by the Pony Trojan."

It's worth noting that so far the RAA business update is only targeting Russian speakers. "However, it might not be long before its authors decide to go global," the company said. 

Advertisement - Article continues below

To avoid becoming a victim of RAA and other business focused malware, Kaspersky suggests using "robust" endpoint security, ensuring software is up to date, and educating employees, particularly warning them to beware emails from unknown origins and to pay attention to file extensions before opening them. 

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
cyber security

If not passwords then what?

8 Jan 2020
Policy & legislation

GDPR and Brexit: How will one affect the other?

9 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020