RAA ransomware now targets businesses, installs data stealing 'Pony' malware

Rapidly evolving ransomware is also able to infect machines even if there's no connection to the command and control server for encryption
Written by Danny Palmer, Senior Writer

You don't want this pony

Image: iStock

A form of ransomware which also contains a data stealing Trojan has been updated to become more effective at attacking business targets with new techniques including the ability to install malware and encrypt machines even if they're offline.

The RAA ransomware first appeared in June this year but ransomware is a rapidly evolving operation - as demonstrated by the boom it in this year - and cybersecurity researchers at Kaspersky Lab have discovered a new variant of it already.

Like the previous version of the ransomware, RAA is distributed by email but now the malicious software dropping code is hidden in a password protected Zip attachment in order to make it more difficult for anti-virus software to discover - the content of protected archives are harder for security programmes to properly examine.

RAA has also changed its targets, now choosing to target businesses over ordinary users probably because the pay-off can be much higher. The emails claim to contain information about an overdue payment to a supplier, with information about the fraudulent request for payment hidden in the Zip file for what the malware authors say is "due to security reasons". The implication that there's additional security in the email might be enough to trick a user into beginning the process of installing RAA.

The infection process remains similar to what was used previously, with the installation of the ransomware executed when the victim executes the malicious .js file. The operation distracts the victim during installation by displaying a fake text document with a random set of characters before showing a ransom note and encrypting files with a .locked extension.

What makes this new version of RAA even more effective is now doesn't even need to communicate with the C&C server in order to encrypt files on the victims' PC. Instead of needing to request a master key as it did previously, the trojan generates its own keys on the infected machine, ultimately enabling RAA to infect offline machines, in addition to those connected to the internet.

As if locking a business out of its files wasn't bad enough, the ransomware payload also delivers the Pony Trojan, a form of data stealing malware capable of stealing login credentials - essentially working in the opposite way to BetaBot, a malware which steals data then also infects the victim with ransomware.

For hackers, the ability to get their hands on corporate credentials only improves the potential effectiveness of the ransomware scheme, providing them with the opportunity to use legitimate business accounts to spread the trojan to their contacts and even perform targeted attacks. There's also the possibility that they could sell the credentials to other hackers on the dark web.

Like other forms of ransomware, hackers demand a ransom from victims in exchange for decrypting the file. While the malware mainly targets Russian speakers at present, its success could mean that it could go global sooner rather than later.

Ransomware is increasingly taking aim at business networks as a successful attack could result in a highly lucrative pay-off - as demonstrated by the attack against a Hollywood hospital which saw cybercriminals walk away with a $17,000 Bitcoin ransom.

Despite the increasing threat of cyberattacks, new figures from Juniper Research suggest that businesses still aren't grasping the issues around cybersecurity; three quarters of organisations believe that they are entirely secure, despite half of those having knowingly suffered some sort of breach.

The research found that under one third of organisations actively monitor emails for phishing attempts, despite this attack technique being the one most often used by malware and ransomware campaigns and fairly easily avoided with some basic cybersecurity techniques.


Editorial standards