The Kaspersky Lab researchers reported that the RAA ransomware has been recently modified to particularly target businesses. The security vendor first spotted the notorious JScript ransomware in June this year and now they have stumbled across a new version of it.
“Just like the previous one, the malware is distributed via email, but now the malicious code is hidden in a password-protected zip archive attachment.” – the security company stated – “This measure was implemented by criminals with the intention of tricking [antivirus] solutions because the content of the protected archive [is] harder to examine.”
RAA is being distributed via malicious emails posing as an overdue payment and stating that the attachment is protected with a password for “security reasons”. According to Kaspersky, this measure is to trick “less technical victims”, as they say, into opening the file.
When a victims open it they see a text doc full of randomly written characters. While the confused victim is trying to understand this “overdue payment”, the ransomware starts the encryption process and when it is complete, it leaves a ransom note on the desktop.
However, as it turns out, RAA hasn’t received only the specifically-business-targeting modification. Now, instead of contacting with C&C server, as usual, it has the capability to encrypt offline.
“This scheme was obviously implemented to allow the malware to encrypt offline machines as well as ones that can connect to the internet.” – Kaspersky Lab said.
Unfortunately, this is not all. RAA also drops the Pony Trojan which steals passwords from email victims and then uses their own accounts to spread the ransomware.
“The combination of ransomware and password stealer gives cybercriminals a dangerous mix, increasing the chances of receiving money.” – said Fedor Sinitsyn, the senior malware analyst at Kaspersky Lab -“Primarily from the ransom that the company will pay to decrypt the data, and secondly, from new potential victims that can be targeted using the credentials gathered by the Pony Trojan.”
An important information is that, at least for now, RAA is oriented in hitting only Russia-based users.
“However, it might not be long before its authors decide to go global.” – Kaspersky warned.
To protect themselves from falling victims to this dangerous threat, Kaspersky advises businesses to keep their software up to date and invest is some employees training. It is a must to warn the staff to be extra careful when it comes to emails from unknown or suspicious senders and to double-check all attachments before opening them.
