RAA: The latest ransomware culprit preys on Microsoft Jscript
While most of healthcare is familiar with ransomware threat actors that utilize .exe attachments, RAA ransomware differs in that it’s launched from .js attachments via email. And these JScript attachments have grown exponentially in recent months, according to cybersecurity company, Proofpoint, which has been tracking the RAA ransomware for more than a month.
RAA seems to be following the same path as Proofpoint has noted over the last quarters in the most popular malware - Dridex, Locky and Cryptxx, as well as legacy malware Teslacrypt and Cryptowall - in its use of .js and combining ransomware with information-theft functionality, said Kevin Epstein, vice president of the Threat Operations Center at Proofpoint.
“Detection needs to be based on dynamic as well as static file examination methods.”
Discovered by two security researchers who posted the news on Twitter, RAA is innovative, but not as sophisticated as Locky, CryptXXX or Cerber. This is according to Lawrence Abrams, owner of BleepingComputer - a technical support website, specializing in security matters and computer issues.
Using hacked servers or free web hosting as a command center, RAA hackers quickly gain control of accounts associated to them. And Abrams explained, these command centers must be disabled to remove the ransomware from the victim’s computer.
“As most of these infections utilize email attachments, including RAA, employees need to be properly educated on how they should handle emails from unknown senders,” Abrams said.
“It’s also important to install a security product that offers behavioral detection rather than standard virus definitions,” he added. “As the ransomware executable are constantly morphing, tradition all antivirus scans commonly do not detect new infections.”
To best protect against ransomware, Abrams recommended healthcare organizations consider ‘whitelisting,’ which is the process of configuring computers to only run programs specifically allowed on the system and everything else is prevented.
Abrams said that although it’s a complicated setup, “it’s the most secure way to protect a server from ransomware.”
“There doesn’t seem to be any end in sight for these types of infections,” Abrams added. “The profits are too great and many companies are forced to pay the ransom or potentially cease operating.”