By Renaud Bidou

In an effort to develop a target base and increase the conversion rate of victims, ransomware perpetrators will try to veer away from well-known families and create new family sporting seemingly new techniques—with varying degrees of practicality.

This is the case with the RAA ransomware, which Trend Micro detects as RANSOM_JSRAA.A. While most ransomware take the form of executables (.exe, .dll), RAA is one of the few to be written entirely in a scripting language—especially one expressly designed to be interpreted by web browsers.

Our analysis shows that this particular ransomware variant is written in JScript, and not JavaScript, as observed by some reports. (Neither is related to Java either; this Microsoft knowledgebase article makes the differences of the three clear.) This scripting language is designed for Windows systems and executed by the Windows Scripting Host engine through Microsoft Internet Explorer (IE). It cannot run via the newer Edge browser, however.

Perhaps, cyber crooks are leveraging the JScript scripting language to add another layer of difficulty in detection as this can make polymorphism and obfuscation easier.

Figure 1. RAA’s ransom note is written in Russian and contains instructions on how to transfer 0.39 Bitcoin (or US $250) in order to get the key and software needed to decrypt the affected files.

JScript bears semblances with JavaScript because both are derived from ECMAScript. More or less, these scripting languages are ‘compatible.’ In a nutshell, JScript is the MS implementation of ECMAScript, while JavaScript is the Mozilla implementation of ECMAScript. One of their notable differences is the capability of JScript to access objects exposed by IE (ActiveX objects), and some system objects such as the “WScript.”

Figure 2. Line 6 pertains to WScript, which is specifically related to JScript.

Why JScript?

The use of scripting language in ransomware is not new. Cryptowall 4.0’s downloader was written in JScript; PowerWare had task-based PowerShell scripting language do its dirty work. Ransom32 was entirely written in JavaScript, but its package contained the usual binaries—a Tor client as well as Node.js binaries and modules which it used to run the script.

Since most malware are written in compiled programming languages—with ransomware often taking the form of executables—using a language uncommonly used to deliver malware can be seen as less prone to detection. Cybercriminals know it’s a race; they capitalize on the lapse of time where their malware remains undetected in order to maximize their profit.

Aside from being easier to write, these languages are also highly portable: modern Windows OS-based machines can run them without any change required in the code. Windows Scripting Host running JScript, for instance, has been available since Windows XP.

Digging through the RAA code

RAA cannot be simply executed in any browser, other than IE through attack vectors like cross site scripting. It still requires Windows Script Host execution. The ActiveX object execution should also be authorized on the IE browser. “WScript,” which is used in several parts of RAA, seems to be the differentiator. As an example, the line below will trigger an error in Chrome:

Figure 3. Error message when this threat is opened via Chrome browser

On the other hand, this malware can still be executed by simple clicking the script itself, via the attachment in spam emails, through an object within an Office document, or even via command line. Its file names can be any of the following:

st.js

ST.js

mgJaXnwanxlS_doc_.js

_mgJaXnwanxlS_doc_.js

Based on our findings, RAA employs CryptoJS for its encryption process. It is an open-source library of cryptographic algorithms implemented in JavaScript, supporting AES-128, AES-192 and AES-256:

var clear_tpcVJWrQG = CryptoJS.enc.Base64.parse(tpcVJWrQG);

Encrypted data are appended with a .locked extension to their filenames. To date, RAA encrypts 16 file types. It skips encrypting data with filenames like “.locked”, “~”, and “$.” Furthermore, it does not encrypt files located in the following directories:

Program Files (including x86)

Windows

Recycle Bin

Recycler

AppData

Temp

ProgramData

Microsoft

Using base64 encoding, RAA also drops and extracts data-stealing FAREIT (also known as Pony malware). It is a known data-stealing malware that pilfers stored credentials from File Transfer Protocol (FTP) clients and other file management software, email clients such as Outlook, web browsers and even bitcoin wallets, and sends them to its command and control server (C&C). It also deletes the following registry related to Volume Shadow Service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\VSS

As such, backup and restore operations are disabled while applications on the systems continue to write to the volumes. This, of course, adds another layer of prevalence to this threat.

Reminiscent of DMA Locker 4.0 (detected as RANSOM_MADLOCKER.B) and certain variants of JIGSAW crypto-ransomware, RAA offers to unlock a few files for free, presumably to make the promise of actually decrypting the files appear more legitimate. It even has a dedicated “customer” support via Bitmessage, a decentralized P2P communications protocol used to send encrypted messages.

Trend Micro solutions

Cybercriminals continue to craft clever tactics to infect as many systems with ransomware as possible. In this case, they leverage a scripting language to avoid detection and consequently, removal from the system.

Backing up files using the 3-2-1 rule is one way to mitigate the risks of ransomware threats such as RAA. Organizations and users need a multi-layered defense against this type of threats.

Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by this threat.

Enterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats. Email and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users. At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat. Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order to detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can also use our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying for the use of the decryption key.

Related hashes to this attack:

2C0B5637701C83B7B2AEABDF3120A89DB1DBAAD7- detected as RANSOM_JSRAA.A

822BF6D0EB04DF65C072B51100C5C852761E7C9E – detected as TSPY_FAREIT.YYSVN

With additional analysis by Jasen Sumalapao and Jaaziel Carlos

Updated on June 22, 2016, 03:27 AM (UTC-7)

Updated to remove the file, RANSOMWARESCRIPT_PONYDOWNLOADER.js, from the list of attachment file names used by the threat in its spammed message because we were informed that this a renamed file. Hat tip to JAMESWT for this information.