New ransomware variant coded entirely on Javascript, exploits macros

Most of the time, ransomware are usually packaged on a Windows executable file, kept hidden inside a subtle email. However, cybercriminals have taken a new step towards upping their game. A new strain of ransomware has been discovered, which is coded completely from Javascript.

Called RAA, this new variant of ransomware is disguised as an innocent-looking document file. Moreover, it is hidden inside a "macro," or a script program that can be attached to documents to adapt content in real time. Not only they have the ability to modify documents, they can also be programmed to function as a full-blown application which can alter files and download software from the internet.

As per usual, the malware is sent to potential victims via email. The message plays on the fears of the receiver by stating that they have some kind of unpaid invoice, or a criminal court case. It contains an attachment like "Invoice.txt" or something similar. With the file looking safe, the receiver can proceed to download the file.

However, this is where it gets kind of tricky. For one, Windows hides file extensions by default. In reality, the attachment has a full name of "Invoice.txt.js," which is a Javascript file. Furthermore, its icon, which shows a scroll of parchment, makes the receiver believe even more that what they're about to open is really a text file, as Naked Security points out.

The attachment will take advantage of Windows Script Host. Once opened, the ransomware will then get to work, encrypting the poor victim's files. Meanwhile, in order to not raise suspicions, the Javascript program opens a decoy document on WordPad stating the following:

Error! Error code (0034832)

This document was created in a newer version of MS Word and cannot be opened with your version of WordPad.
Contact the creator of the file, or open the file with MS Word 2013.
Some parts of this content may not be displayed properly.

Once encryption is complete, the victim will be greeted with a message written in Russian indicating that their files have been encrypted. It states:


Your files have been encrypted by the RAA malware.
The AES-256 algorithm was used for encryption – the same encryption that is used to protect state secrets.
This means that restoring data is only possible by buying the key from us.
Buying the key is the simplest solution.

It will then demand 0.39 Bitcoins, which is roughly equal to $260. Moreover, the ransomware reportedly lets you decrypt some files for free, but it does not clearly state how the victim can do so.

Bleeping Computer reports that there is currently no way to combat the malware without paying the ransom.

While these types of malware are booming, users can still take measures to protect themselves, by being vary careful of the attachments they open, especially if they seem to be from an unknown source, as well as keeping antivirus and anti-malware programs updated.

Source: Naked Security | Images via Bleeping Computer

Report a problem with article
Next Article

Wallet 2.0 now available for Windows 10 Mobile on Insider Fast ring; offers NFC tap to pay

Previous Article

Microsoft launches SharePoint mobile app for iOS; Android and Windows 10 apps coming later

22 Comments - Add comment