RAA ransomware strain evolves to target businesses

Kaspersky warns that the RAA ransomware has been tweaked to target businesses

The RAA strain of ransomware has been tweaked to specifically target businesses, according to Kaspersky Lab. 

The security firm has uncovered a new version of the troublesome JScript ransomware, after it was first spotted in June this year.

"Just like the previous one, the malware is distributed via email, but now the malicious code is hidden in a password-protected zip archive attachment," the security company said in a statement. "This measure was implemented by criminals with the intention of tricking [antivirus] solutions because the content of the protected archive [is] harder to examine."

Advertisement - Article continues below

The criminals are targeting businesses with an email about an overdue payment, saying that the attachment is password protected for "security reasons". Kaspersky said that might fool "less technical victims" into opening the folder. 

Once it's opened, a text document is shown to the victim with a random set of characters. While the user puzzles over the file, RAA starts encrypting files on the machine, finishing by leaving a ransom note on the desktop. 

Aside from targeting businesses, RAA has another change from the first version. It no longer needs to contact the command and control server to encrypt the files, and is instead capable of offline encryption. "This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the internet," Kaspersky Lab said. 

Advertisement - Article continues below

And if that's not bad enough, RAA also leaves behind the Pony Trojan, which hoovers up passwords from email clients, so it can use your own email to spread the ransomware from your account. 

Advertisement - Article continues below

"The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab.

"Primarily from the ransom that the company will pay to decrypt the data, and secondly, from new potential victims that can be targeted using the credentials gathered by the Pony Trojan."

It's worth noting that so far the RAA business update is only targeting Russian speakers. "However, it might not be long before its authors decide to go global," the company said. 

To avoid becoming a victim of RAA and other business focused malware, Kaspersky suggests using "robust" endpoint security, ensuring software is up to date, and educating employees, particularly warning them to beware emails from unknown origins and to pay attention to file extensions before opening them. 




HP Support Assistant flaws leave Windows devices open to attack

6 Apr 2020
cyber security

Safari bug let hackers access cameras on iPhones and Macs

6 Apr 2020
video conferencing

Zoom CEO admits company "moved too fast" as privacy issues mount

6 Apr 2020
internet security

Mozilla fixes two Firefox zero-days being actively exploited

6 Apr 2020

Most Popular

application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020

Google releases location data to show effectiveness of coronavirus lockdowns

3 Apr 2020