New RAA ransomware strain created entirely with JScript

In recent months, the vast majority of ransomware infections were delivered by e-mail as a JScript file inside a zip attachment. Unlike executable files (such as .exe and .com file extensions), JScript files (with a .js file extension) generally do not present a security warning or administrator rights request to run. Most e-mail provides including Gmail don't block zipped JScript files either.

The latest strain of ransomware discovered by security researchers is made 100% from JScript. Earlier JScript infections silently downloaded the ransomware executable that made it vulnerable to being blocked by Internet Security software, especially software firewalls that provide strict control over what processes can access the Internet. With the latest strain, the JScript file itself includes the CryptoJS library so that the script alone will encrypt the user's personal files, followed by demanding a ransom of about $250 to decrypt them, written in Russian:

ADVERTISEMENT

RAA Ransomware

If that was not bad enough, the JScript file includes the password stealing malware Pony which is packed with base64-encoding inside the JScript file. When launched, the script extracts this executable and installs it on the victim's computer, which can steal passwords from over 110 different applications including web browsers, VPN, FTP and e-mail software.

Like most e-mail attachment infections, the JScript file pretends to be a document file. When launched, it generates a fake Word document with a similar name to the attachment and automatically opens it to give the impression that the JScript file itself is a document. The fake document written in Russian basically gives the impression that the document is corrupt.

ADVERTISEMENT

In the background, the JScript file scans all available drives with write access and encrypts a variety of file types including pictures, documents, spreadsheets, cad files and so on, appending a '.locked' file extension to each encrypted file. It then deletes the Windows Volume Shadow Copy Service (VSS) and possibly the shadow copies also to prevent file recovery from shadow volume copies.

Once the Malware has completed its encryption process, it places a ransom note on the desktop written in Russian demanding 0.39 BTC (about $250) to be paid. In addition to installing the Pony Malware, it also sets itself to automatically run each the time user logs in to encrypt any new documents placed on the computer. At this time, there is no known way to decrypt the files for free.

Further information can be found in this Bleeping computer article.

ADVERTISEMENT

No posts to display