RAA Ransomware Written in JScript to Avoid Detection

RAA Ransomware Written in JScript to Avoid Detection

Security experts have discovered a new type of ransomware written entirely in scripting language JScript – potentially in a bid to avoid detection by traditional filtering tools.

RAA was first thought to have been written in JavaScript, but this is not the case, according to Trend Micro technical director, Renaud Bidou.

He explained in a lengthy blog post on Monday that the new threat – detected as RANSOM_JSRAA.A – is written in a language designed specifically for Windows systems and executed by the Windows Scripting Host engine only through Internet Explorer (IE), not Edge.

“Perhaps, cyber crooks are leveraging the JScript scripting language to add another layer of difficulty in detection as this can make polymorphism and obfuscation easier,” he claimed.

“Cyber-criminals know it’s a race; they capitalize on the lapse of time where their malware remains undetected in order to maximize their profit.”

JScript and similar are also highly portable languages and work on most modern Windows OS-based machines without any change required in the code, Bidou claimed.

It can be executed by clicking on a spam email attachment, as well as “through an object within an Office document, or even via command line,” he added.

Encryption is taken care of via the open source CryptoJS, which supports AES-128, AES-192 and AES-256 and encrypts 16 file types – although not those in directories such as Recycle Bin, Program Files, Temp, and Windows.

As if encrypting a victim’s most important files wasn’t enough, the ransomware also drops data-stealing malware Fareit (Pony), which is designed to steal stored credentials from FTP clients, email clients, web browsers and bitcoin wallets.

It also disables back-up and restore while it’s working, causing even more problems for IT admins.

RAA seems to be one of the more sophisticated ransomware variants, featuring dedicated ‘customer’ support via Bitmessage, a decentralized P2P communications protocol used to send encrypted messages, and the offer of decrypting a few sample files for free to prove its legitimacy.

Trend Micro recommended organizations mitigate the risk of ransomware attack by backing-up using the “3-2-1 rule” – at least three copies in two different formats with one copy off-site.

It also suggested IT security bosses operate a layered approach to threat protection; covering web and email gateway, endpoint, network and servers – in order to lock down risk in a more holistic manner.

Source: Information Security Magazine