New RAA ransomware strain created entirely with JScript

vbimport

#1

We’ve just posted the following news: New RAA ransomware strain created entirely with JScript[newsimage]http://www.myce.com/wp-content/images_posts/2016/06/RAA-Ransomware-95x75.jpg[/newsimage]

Earlier JScript infections silently downloaded the ransomware executable that made it vulnerable to being blocked by Internet Security software. With the latest strain, the JScript file itself includes the CryptoJS library so that the script alone will encrypt the user’s personal files. This ransomware also packs the nasty password stealing Malware, Pony.

            Read the full article here: [http://www.myce.com/news/new-raa-ransomware-strain-created-entirely-jscript-79742/](http://www.myce.com/news/new-raa-ransomware-strain-created-entirely-jscript-79742/)

            Please note that the reactions from the complete site will be synched below.

#2

I have to ask why do people keep going to black sites or download bad software and then wonder why they get ransomware infected?


#3

Opening attachments in e-mails is a risky sport and so the general advice apply:

  1. Do not follow links or open attachments from unknown senders. Preferably, do not open the e-mail at all.
  2. Do not open attachments not mentioned in the mail from known senders regardless of the name. Contact the sender and question about the attachment (the sender may be infected)
  3. Do not follow links in the e-mail from your finance institution(s) or open attachments. open a web-browser and log into your account manually. if it is valid, you will find the attachment there. If not you were about to become a victim of fraud.
    4… a.s.o.

Above all, be cautious and sceptical about everything and your digital life will become less troubled :flower:


#4

[QUOTE=Xercus;2776618]Opening attachments in e-mails is a risky sport and so the general advice apply:

  1. Do not follow links or open attachments from unknown senders. Preferably, do not open the e-mail at all.
  2. Do not open attachments not mentioned in the mail from known senders regardless of the name. Contact the sender and question about the attachment (the sender may be infected)
  3. Do not follow links in the e-mail from your finance institution(s) or open attachments. open a web-browser and log into your account manually. if it is valid, you will find the attachment there. If not you were about to become a victim of fraud.
    4… a.s.o.

Above all, be cautious and sceptical about everything and your digital life will become less troubled :flower:[/QUOTE]

  1. Already fails…with happy go clickers…never really learn…
  2. Click away…another fail…inform them but never listens
  3. It’s free so why not click on it…it can’t hurt me… :doh:
  4. ugh…people never learn…
  5. it’s useless fix and they do it right over again… :doh:
  6. ok a computer fix it shop needs work and money… :smiley:

#5

[QUOTE=Xercus;2776618]Opening attachments in e-mails is a risky sport and so the general advice apply:

  1. Do not follow links or open attachments from unknown senders. Preferably, do not open the e-mail at all.
  2. Do not open attachments not mentioned in the mail from known senders regardless of the name. Contact the sender and question about the attachment (the sender may be infected)
  3. Do not follow links in the e-mail from your finance institution(s) or open attachments. open a web-browser and log into your account manually. if it is valid, you will find the attachment there. If not you were about to become a victim of fraud.
    4… a.s.o.

Above all, be cautious and sceptical about everything and your digital life will become less troubled :flower:[/QUOTE]

It’s impossible to be too sceptical these days and I always advise people to assume it’s fake even if it looks genuine.

As you say though, the best defence is avoid clicking on links from emails and visit the official site manually instead.

[B]Wombler[/B]


#6

My Myce e-mail account which receives a fairly steady supply of infections received what appears to be this file based on the fairly chunky 57KB zipped .js file attachment.

As mentioned above, some of these e-mails are fairly well written apart including plucking the first name from the e-mail address (although misspelt with a lowercase ‘s’ here), so it’s no surprise some people fall for them. The following is the body of this e-mail:

Dear sean:

Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am writing to confirm receipt of your order, and to inform you that the item you requested will be delivered by 25 June at the latest. If you require more information regarding this order, please do not hesitate to contact me.

Also, our records show that we have not yet received payment for the previous order of 11 June, so I would be grateful if you could send payment as soon as possible. Please find attached the corresponding invoice.

If there is anything else you require, our company would be pleased to help. Looking forward to hearing from you soon.

Yours sincerely
Iva Guerrero
Managing Director - Property Advisory Industry


#7

I do wonder how the JavaScript file is executed. Unlike *.exe files, JavaScript is not self-executing. Rather, it needs to be loaded in an external app to be executed. Is it loaded into a web browser, perhaps?


#8

JScript is similar to JavaScript and Windows can run it just like VBScript and batch files by just double-clicking the .js file.

Unlike JavaScript in the browser, JScript run in Windows (by double-clicking the .js file) has pretty much the same privileges as running an executable .exe file, e.g. it can read/write files, download and run executable files, modify the registry, etc.

I have already given a few of these JScript infections a try in VirtualBox running Windows 10 x64 with a few hundred dummy documents and pictures and it’s surprising how quickly it encrypts them.

To import the infection, I created a virtual CD ISO file containing one of the Zip attachments and mounted it in Virtual PC. For the pictures, I copied all the dll files in the VirtualBox’s system32 directory and placed them in ‘Pictures’ with a .jpg extension and repeated to create a set of .doc files. I then created a firewall rule so that VirtualBox has access to the Internet, but not the 192.168.x.x subnet and double-checked this. For example, I then had to change the DNS to 8.8.8.8 as it could no longer access the DNS IP of my router. This also meant the infection couldn’t see the internal network.

I then opened the virtual CD drive, double clicked the Zip file and then the .js file inside. Nothing appeared to happen, so I decided to leave the mouse and keyboard alone a short while to see if anything happens. After about 1 minute the ransomware pop-up appeared saying all my files were encrypted. Indeed when I checked the folders containing the dummy pictures and documents, they were all encrypted with random files names all ending in the .zepto file extension.

After experimenting with different file sets, it appears that the number of documents affects the ransom demand figure. For example, when I created a few thousand fake .doc files, the ransom request went to something like 10 BTC.


#9

Cool Seán :cool:

I’ve never thought of checking if there was a difference in ransom due to number of data files (I’ll create my own magnum dummy set this weekend).

LOL :bigsmile: a pay per decryption scheme of sorts, no less. They sure are creative :wink:

Thanks for the info


#10

While the encryption took place, they were even creative with the process name. With Locky, it showed up as ‘Windows Product Activation’ with a certificate icon in Task manager. The give-away was the ~100MB/s disk activity with that process, which gives an idea of the sheer speed it was encrypting at.

It reminds me of the creative Wi-Fi names some people come up. :bigsmile: