New Ransomware ‘Undecryptable’
Wednesday, June 15, 2016 @ 03:06 PM gHale
Attackers attach this .js file to spam email, disguising it to look like an Office document. Some users might download and execute this file.
On most computers, this code runs via the Windows Script Host (WSH), which executes its commands system-wide, giving the malicious script access to system utilities.
The JS file will also create a fake Word document and open it. The file contains random files to fool users into thinking it is a corrupted document.
The same RAA payload also contains a base64-encoded version of the Pony infostealer. This malware family can collect browser passwords and other information from a PC. Pony is usually used for reconnaissance, so crooks get a better overview of the infected system. Often, Pony goes hand in hand with banking Trojans, but this behavior was not observed for RAA infections.
RAA only encrypts 16 file types and then displays its ransom note.
The ransomware asks for $250 in bitcoin as payment, claims to use AES-256 encryption, and asks users to contact the malware author via email to receive their decryption keys. According to Bleeping Computer, RAA is currently undecryptable, said Lawrence Abrams at Bleeping Computer in a blog post.