Thanks to Mark Loman of SurfRight for his behind-the-scenes work on this article.
SophosLabs and our SurfRight colleagues just alerted us to an intriguing new ransomware sample dubbed RAA.
This one is blocked by Sophos as JS/Ransom-DDL, and even though it’s not widespread, it’s an interesting development in the ransomware scene.
Here’s why.
Ransomware, like any sort of malware, can get into your organisation in many different ways: buried inside email attachments, via poisoned websites, through exploit kits, on infected USB devices and occasionally even as part of a self-spreading network worm.
But email attachments seem to work best for the cybercrooks, with fake invoices and made-up court cases amongst the topics used by the criminals to make you think you’d better open the attachment, just in case.
In 2015, most ransomware arrived in Word documents containing what are known as macros: script programs that can be embedded in documents to adapt their content in real time, usually as part of your company’s workflow.
The problem with macros, however, is that they aren’t limited to adapting and modifying just the document that contains them.
Macros can be full-blown programs as powerful as any standalone application, and they can not only read and write files on your C: drive and your local network, but also download and run other files from the internet.
In other words, once you authorise a macro to run, you effectively authorise it to install and launch any other software it likes, including malware, without popping up any further warnings or download dialogs.
You can see why cybercrooks love macros!
Fortunately, macros are turned off by default, so the crooks have to convince you to turn them back on after you open their malicious documents.
Excuses they’ve used include needing to enable macros “for security reasons” (they mean for insecurity, of course), and to change character sets to make documents legible, like this sample that delivered the Locky ransomware:
The switch to JavaScript
By the start of 2016, many crooks were steadily shifting their infection strategy as the world began to realise that enabling macros was a really bad idea.
These days, a lot of ransomware arrives in JavaScript attachments.
In case you’re wondering why anyone would open a .JS
file that was pretending to be a document, remember that:
- Windows doesn’t show file extensions by default. So a file called
Invoice.txt.js
shows up as the altogether more believableInvoice.txt
. - Windows uses ambiguous imagery to denote .JS files. Scripts appear with an icon looking like a scroll of parchment, making them look like documents instead of programs. (See below.)
Usually, the malicious JavaScript connects to a download server, fetches the actual ransomware in the form of a Windows program (an .EXE
file), and launches it to complete the infection.
Pure JavaScript
But JS/Ransom-DDL takes a different approach.
The JavaScript doesn’t download the ransomware, it is the ransomware.
This is possible because:
- JavaScript is a general-purpose programming language. It can be used for anything from modest scripts to full-blown applications.
- On Windows, JavaScript outside your browser runs in the Windows Script Host (WSH). This doesn’t restrict or “sandbox” the script code, so it can do anything a regular application could do.
- The crooks used freely-available cryptographic source code in the malware. This made the implementation much easier, because the hard programming work was already done.
No additional software is downloaded, so once the JS/Ransom-DDL malware file is inside your network, it’s ready to scramble your data and pop up a ransom message all on its own.
While it’s at work, it opens a file known as a decoy document in WordPad:
Error! Error code (0034832)
This document was created in a newer version of MS Word and cannot be opened with your version of WordPad.
Contact the creator of the file, or open the file with MS Word 2013.
Some parts of this content may not be displayed properly.
The decoy file contains a bogus error message that is supposed to convince you that the file you just opened really was a document, and to distract your attention while the ransomware goes to work.
The payload
Strictly speaking, this ransomware isn’t completely self-contained: like many ransomware families, its first step is to “call home” to a server operated by the crooks to acquire an encryption key.
The server replies with a uniquely-generated identifier and a randomly-created AES encryption key, so that victims can’t share decryption keys with one another.
If your data ends up scrambled, you need to quote your unique identifier and buy back the matching AES key to unscramble your data.
(The AES key downloaded by the malicious JavaScript is only ever kept in memory, so once the encryption is complete and the JavaScript program exits, the crooks have the only remaining copy of the key.)
Once the encryption is complete, you’ll see a README page telling you how to buy back the key to recover your data:
The gist of this “pay page” follows the usual ransomware recipe:
***ATTENTION!***
Your files have been encrypted by the RAA malware.
The AES-256 algorithm was used for encryption – the same encryption that is used to protect state secrets.
This means that restoring data is only possible by buying the key from us.
Buying the key is the simplest solution.
You don’t need to understand Russian to figure out that the asking price is 0.39 Bitcoins, or approximately $250.
The crooks also suggest (point 2) that they will decrypt a few files for you first if you need proof that they really have the key, although they don’t say up front exactly how you are supposed to send them the test files.
That’s not all
Most ransomware attacks we’ve seen in the last few years have started by scrambling your files, and finished by unscrambling your files once you’ve paid up.
In other words, the cybercrime component was all about squeezing you to pay the ransom, with the ransomware aspect essentially being the beginning and the end of the crime.
After decrypting your files and making sure that the ransomware program has been removed so it can’t accidentally strike again, the theory is that you’re back where you were before the attack started.
But JS/Ransom-DDL is interestingly different, because it deliberately installs a secondary malware infection: a password stealer blocked by Sophos products as Troj/Fareit-AWR.
This Fareit infection isn’t downloaded; instead it is encoded using base64 into a JavaScript string that is stored inside the ransomware file, and installed as a parting gift by the ransomware.
The program code that drops the Fareit file onto your hard disk and launches it is deliberately obscured by encrypting it with AES, using a decryption key stored inside the malware:
The dropped Fareit malware is saved into your MyDocuments folder using the name st.exe
.
What to do?
- Read our article How to stay protected against ransomware.
- Configure Windows to show file extensions. This gives you a better chance of spotting files that aren’t what they seem. (See below.)
- Consider configuring Windows to open JavaScript files with NOTEPAD, not with WSH. This displays .JS files harmlessly as text rather than running them as programs. (See below.)
- Consider using a protective recovery tool like Hitman Pro Alert from Sophos. This can detect when malware, including JS/Ransom-DDL, starts scrambling your data, killing the malicious process and rolling back the unauthorised changes so you don’t need to pay up.
By the way, if do you pay up for ransomware, never assume that the “recovery” tool provided by the crooks will clean up your computer as well as unscrambling your data.
As far as we know, the ransomware in this case might itself be intended as a sort of decoy, to distract you from the fact that you’ll still be infected with the password stealing component, even if you recover from the encryption part.
HOW TO TELL EXPLORER TO OPEN .JS FILES WITH NOTEPAD
Right click on a .JS file and then click on: Open with | Choose another app | More apps ↓
Select Notepad and then turn on Always use this app to open .js files:
HOW TO TELL EXPLORER TO SHOW FILE EXTENSIONS
Click on the View menu and turn on the tick-box labelled File name extensions: