A newly discovered ransomware variant does away with downloading a malicious file, carrying out the dirty work itself
The script arrives as an attachment called Invoice.txt.js, which appears as “invoice.txt” on most Windows systems, which are configured by default not to display file extensions.
The technique is simpler than the most common method of infection, which involves the use of a Word document containing a malicious macro and attached to an email.
Once the document is opened, the attacker must also convince the user to turn macros on, since they’re not enabled by default in Windows. The macro must then download an executable file to carry out the malicious activity.
Once executed, RAA launches a decoy document in WordPad that displays a fake error message, while in the background fetching a unique identifier and encryption key from a remote server.
It then begins encrypting the user’s documents, before displaying a message demanding a ransom of 0.39 Bitcoins, or about £187, in exchange for unlocking the files.
RAA differs from other ransomware in another way, as well, in that after unlocking a system it installs a password-stealing program for good measure.
“The ransomware in this case might itself be intended as a sort of decoy, to distract you from the fact that you’ll still be infected with the password stealing component,” Ducklin wrote.
Freedom of Information Act (FOI) requests published last week by security firm Avecto found that at least 30 percent of UK local councils had been affected by at least one ransomware attack during 2015, with one council hit by 13 separate attacks. Sixty-five percent of those affected said they had not paid a ransom.
Are you a security pro? Try our quiz!