New Ransomware Written in Javascript is Serious Threat

 

Cyber criminals are finding ever-more inventive and sophisticated ways to get through or around cyber defences. The latest malware attack to be having some success in doing so is ransomware written in Javascript.

Ransomware Rise

As an IT Support Company in Hertfordshire we keep up to date with the latest developments in the world of data and cyber security. One of the growing trends over the last 6 months has been an increase in the use of malware, and particularly ransomware. So-called ‘ransomware’ is a type of malware that encrypts important files on the victim’s computer so that the person is essentially locked out of those files. The victim is then sent a demand for money to release the files.

RAA - A New Type of Ransomware

Earlier this year Microsoft had reported seeing an increase in a new type of malware that was written in Javascript and then sent as an email attachment. The ‘Locky’ ransomware program in May used JavaScript-based attachments for its distribution.
The successor to Locky that is also having considerable success in exploiting Window systems is ransomware called RAA. Like Locky, RAA is uniquely threatening because it is written in the web-based language Javascript. This could make it more likely to be activated and therefore to claim more victims.

Why Is Javascript Ransomeware More Dangerous?

As an IT Support Company in Hertfordshire we often hear about malicious programs that have been sent to companies via email as attachments in executable programs like .exe. Whereas an operating system will typically block executable programs like .exe, Windows computers allow Javascript .js files to run. Javascript documents that are sent via email therefore won’t always trigger a security warning on Windows or require administrator access to run.

The fact that RAA is written completely in Javascript means that it has a much better chance of getting through basic email security on Windows machines. There is a real concern therefore that by opening a simple email containing RAA as an attachment a Windows computer could use the Windows Based Script Host to run its code and therefore simply install the ransomware.

Outlook is likely to automatically block Javascript .js files although some reports indicate that Gmail may not currently block .js files in email attachments and therefore could be a potential way for RAA to be spread

What Happens When a RAA Email Is Opened?

When an email containing RAA is opened the program encrypts important files on the victim’s computer. RAA then displays the ransom message (reported to be in Russian in this case) which demands that the victim pays $250 to reverse the encryption and release the files.

As well as locking the files and posting a ransom demand RAA also extracts embedded password stealing malware called Pony from the .js file and installs it onto the affected computer

What Does This Mean For Your Business?

Clearly businesses need to raise awareness among staff that they all need to be very careful about opening emails with attachments and / or emails from sources that are not familiar. Keeping computer updates, patches, and anti virus software up to date is also very important. Having a reliable, secure back up of your important files and folders is also advisable if not essential in today’s business environment. It is also possible to instruct Windows not to start the Windows Based Script Host when a .js file is double-clicked, thus potentially stopping the RAA file from installing. If your computer is infected by RAA be aware that there is currently no way to reverse the RAA encryption without paying the ransom, although paying the ransom in these cases is not advisable.

Microsoft Registered PartnerMicrosoft Registered Partner hp Business Partnerhp Business Partner DELL Registered PartnerDELL Registered Partner excel Cisco Partner RegisteredCisco Partner Registered ZyXEL Solution Partner 2014ZyXEL Solution Partner 2014 AVG Silver ResellerAVG Silver Reseller Paxton Access Certified InstallerPaxton Access Certified Installer