A new variant of the RAA ransomware has been identified by security researchers. The new version has many updated features and newer additions that make it an even more dangerous threat.
The RAA Ransomware Has an Updated Feature Set
The newly discovered RAA ransomware variant known as Ransom.JS.RaaCrypt.ag has several new features. Among them is the ability to conceal itself in a password-protected zip file. This mechanism has been devised to increase the infection rate of the potential victims.
RAA now also can encrypt the victim files solely on its own without connecting to a remote C&C server. The source code has been rewritten in Jscript to optimize performance.
The first attacks with the new version were detected last month in a large spam campaign. The criminal developers targeted Russian-speaking countries, and the email messages were directed against corporate employees. The employed scam scheme was phishing content that depended on false payment notifications. All messages come with an attached zip file that contains the RAA ransomware.
The behaviour of the malware operates much like the original version. It opens an RTF file that poses as a legitimate Microsoft Word document to distract the users while the encryption process runs in the background. The only difference comes in the operation – the new variant can generate its encryption key on the host computer rather than wait for the C&C server to send one.
The users are not given a fixed ransom fee request for this variant. Instead, they inform the users that they have to contact the operators by email or Bitmessage. The Pony component of the malware package is embedded in the RAA code. It is used by the criminals to compromise sensitive data from the target computers. The owners of RAA can use the harvested data in other massive campaigns.
Fortunately the fact that the threat generates a key on its own and does not depend on external server communication will probably ease security experts in creating an efficient decryption utility.
