New RAA Ransomware Uses Only JavaScript

1594 1

A new type of ransomware has been discovered which, unlike other types, uses only JavaScript. IT security experts from Imperva, AlienVault, Lieberman Software and ESET discuss how big of a threat this is.

Amichai Shulman, CTO and Co-Founder at Imperva:

amichai_shulman“Organizations should have good backup processes and real time file activity monitoring in place. The former ensures that no long-term damage can be done either on a work station or a file share. The latter ensures that infected individual machines cannot affect file servers.

The interesting thing about this attack vector is that it shows how simple Ransomware is and how easy it is to inflict damage. We tend to think of hacking as though it was rocket science and hence organizations are always going to be on the losing end. In reality, hacking is most often simple and mitigating it requires proper attention and tools which do exist and are within reach of most enterprises. Hacking is a serious business and enterprises should therefore treat information security seriously.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“This is a rather new approach, there haven’t been many JS-only attacks, but from an attacker’s point of view it is relatively easy to compile and get out of the door.

The fortunate thing is that JS file attachments are extremely uncommon for emails. After all, JS is written primarily for the web to interact with browsers as opposed to end clients. So, blocking JS file attachments would be a good first step and it won’t adversely impact the majority of organisations.

From a user perspective, awareness and vigilance remains important. Clicking on attachments from unknown sources should be avoided, particularly if they are in non-standard or expected formats.

Additionally, looking at the broad picture – unfortunately it doesn’t look like ransomware campaigns are slowing down. We’ll see more variants distributed in different ways. Some will be more sophisticated than others and with varying degrees of success. The appeal of ransomware is that it creates value and a market where there otherwise would not be. Stealing or leaking data doesn’t have the same financial reward as holding data to ransom – data that could be very personal to someone, could be critical to business, or even critical to life in the cases of hospitals.

The security industry needs to continually streamline the way it detects and responds to these threats – in particular by having more collaboration and threat sharing to better spot and stop attacks.”

Jonathan Sander, VP of Product Strategy at Lieberman Software:

Jonathan Sander“The new RAA Ransomware still depends on the user downloading and dealing with a file. While the attack vector is novel, it’s as if ransomware is still a stranger you invite into your home and show the location of your valuables but they have a different weapon they will pull out to rob you than they did before. JavaScript is a new weapon for your intruder, but like with other ransomware you’re ahead of the game if you don’t invite in scary strangers by clicking on attachments you don’t fully understand.”

The RAA ransomware doesn’t use JavaScript in the browser the way that you may normally think of it. So blocking it in your browser, often a move made by users to increase their protection, will potentially not help here.

RAA ransomware’s JavaScript attack is far from impossible to block as long as you don’t let it in the door. If you follow safe practices with attachments and files sent to you, then you should be OK. It’s also likely that end point protection systems will soon have this threat neutralized since JavaScript in a document like we see here is unusual enough to be sought out and alerted on.”

Mark James, Security Specialist at ESET:

mark-james“There are many ways to protect against this type of threat that may include measures like disabling windows script host (WSH) or simply having rules set up to manage any attachments that contain .js files.

As in most cases it’s often about pre-empting the current threat vector and trying to take away the actual danger from the end user. Having policies in place to quarantine potential dangerous attachments for checking later is a great way to protect your very valuable data from user error or “silly mistakes”.

Security these days has to be a combined effort from the user and the IT team; relying on just one could leave you exposed. With so many threats coming in to your organisation through email attachments utilising the inbuilt protection methods is a must if you want to keep safe in this modern day cyberwar.

Ensuring you’re using a good regular updating internet security product will help if mistakes do happen and keeping your operating system and applications patched and updated will also help in keeping you safe and secure.”

In this article