A form of ransomware which also contains a data stealing Trojan has been updated to become more effective at attacking business targets with new techniques including the ability to install malware and encrypt machines even if they're offline.
Like the previous version of the ransomware, RAA is distributed by email but now the malicious software dropping code is hidden in a password protected Zip attachment in order to make it more difficult for anti-virus software to discover - the content of protected archives are harder for security programmes to properly examine.
RAA has also changed its targets, now choosing to target businesses over ordinary users probably because the pay-off can be much higher. The emails claim to contain information about an overdue payment to a supplier, with information about the fraudulent request for payment hidden in the Zip file for what the malware authors say is "due to security reasons". The implication that there's additional security in the email might be enough to trick a user into beginning the process of installing RAA.
The infection process remains similar to what was used previously, with the installation of the ransomware executed when the victim executes the malicious .js file. The operation distracts the victim during installation by displaying a fake text document with a random set of characters before showing a ransom note and encrypting files with a .locked extension.
What makes this new version of RAA even more effective is now doesn't even need to communicate with the C&C server in order to encrypt files on the victims' PC. Instead of needing to request a master key as it did previously, the trojan generates its own keys on the infected machine, ultimately enabling RAA to infect offline machines, in addition to those connected to the internet.
For hackers, the ability to get their hands on corporate credentials only improves the potential effectiveness of the ransomware scheme, providing them with the opportunity to use legitimate business accounts to spread the trojan to their contacts and even perform targeted attacks. There's also the possibility that they could sell the credentials to other hackers on the dark web.
Like other forms of ransomware, hackers demand a ransom from victims in exchange for decrypting the file. While the malware mainly targets Russian speakers at present, its success could mean that it could go global sooner rather than later.
Despite the increasing threat of cyberattacks, new figures from Juniper Research suggest that businesses still aren't grasping the issues around cybersecurity; three quarters of organisations believe that they are entirely secure, despite half of those having knowingly suffered some sort of breach.