ransomware-e1470407152921

The original RAA Ransomware was discovered last June which incorporated the information-stealing trojan Pony. The new RAA Rasomware variate, dubbed Trojan-Ransom.JS.RaaCrypt.ag, has evolved to more effectively target companies, encrypting victims’ files and also stealing their data. The new ransomware is hidden in a password-protected zip archive attachment, and it can now perform offline encryption without having to request a key from the command-and-control server. The original RAA Ransomware was written in Javascript, and the new Trojan-Ransom.JS.RaaCrypt.ag is coded in JScript.

According to Kaspersky:

Specifically targeting Russian-speaking countries, the spam emails containing RAA #2 are clearly directed at corporate employees, with a message that attempts to fool the recipient into thinking they are past due on a payment and may be subject to litigation. The message also claims that internal security regulations require the recipient to enter the password 111 in order to open the attached file.

It should be noted that sending malicious content in a password-protected archive is a well-known trick used by cyber-criminals to prevent anti-malware systems installed on mail servers from unpacking the archive and detecting any malicious content. To unpack an archive like this, the anti-malware product must automatically retrieve the password from the message, which isn’t always possible.

Once installed the Trojan-Ransom.JS.RaaCrypt.ag opens an RTF file that poses as a Microsoft Word document in order to distract users while their files are encrypted. As for the ransom, no amount is specified, instead, the victim is given ways to contact the attacker via email or BitMessage and warns victims that their files are encrypted by the algorithm AES, which is used “to protect the state secret.”

The Pony trojan resides as an executable inside of RAA’s code, exfiltrates the infected machine’s confidential data. The attacker can then gain access to the victim’s contacts and other resources, presumably to carry out more targeted attacks.

More Information About Trojan-Ransom.JS.RaaCrypt.ag

For more information about this ransomware, please view the blog post by Kaspersky lab researchers below:

Source: Securelist