The Linux Mint website has been hacked and was found to be pointing to malicious ISOs that contained an IRC bot.What happened and who is affected?In an effort to develop a target base and increase the conversion rate of victims, ransomware perpetrators will try to veer away from well-known families and create new family sporting seemingly new techniques—with varying degrees of practicality.This is the case with the RAA ransomware, which Trend Micro detects as RANSOM_JSRAA.A.While most ransomware take the form of executables (.exe, .dll), RAA is one of the few to be written entirely in a scripting language—especially one expressly designed to be interpreted by web browsers.Our analysis shows that this particular ransomware variant is written in JScript, and not JavaScript, as observed by some reports.(Neither is related to Java either; this Microsoft knowledgebase article makes the differences of the three clear.)This scripting language is designed for Windows systems and executed by the Windows Scripting Host engine through Microsoft Internet Explorer (IE).

It cannot run via the newer Edge browser, however.Perhaps, cyber crooks are leveraging the JScript scripting language to add another layer of difficulty in detection as this can make polymorphism and obfuscation easier.RAA’s ransom note is written in Russian and contains instructions on how to transfer 0.39 Bitcoin (or US $250) in order to get the key and software needed to decrypt the affected files.JScript bears semblances with JavaScript because both are derived from ECMAScript.More or less, these scripting languages are ‘compatible.’  In a nutshell, JScript is the MS implementation of  ECMAScript, while JavaScript is the Mozilla implementation of ECMAScript.One of their notable differences is the capability of JScript to access objects exposed by IE (ActiveX objects), and some system objects such as the “WScript.” Figure 2.Line 6 pertains to WScript, which is specifically related to JScript.The use of scripting language in ransomware is not new.Cryptowall 4.0’s downloader was written in JScript; PowerWare had task-based PowerShell scripting language do its dirty work.

Ransom32 was entirely written in JavaScript, but its package contained the usual binaries—a Tor client as well as Node.js binaries and modules which it used to run the script.ice vault bitcoinSince most malware are written in compiled programming languages—with ransomware often taking the form of executables—using a language uncommonly used to deliver malware can be seen as less prone to detection.bitcoin wallet windows phone 8Cybercriminals know it’s a race; they capitalize on the lapse of time where their malware remains undetected in order to maximize their profit.get bitcoin address multibitAside from being easier to write, these languages are also highly portable: modern Windows OS-based machines can run them without any change required in the code.litecoin mining 1 gpu

Windows Scripting Host running JScript, for instance, has been available since Windows XP.Digging through the RAA code RAA cannot be simply executed in any browser, other than IE through attack vectors like cross site scripting.bitcoin exchange jamaicaIt still requires Windows Script Host execution.intel core i7 bitcoin miningThe ActiveX object execution should also be authorized on the IE browser.yahoo bitcoin virus“WScript,” which is used in several parts of RAA, seems to be the differentiator.mine litecoin or dogecoinAs an example, the line below will trigger an error in Chrome: Figure 3.bitcoin mining hardware amazon

Error message when this threat is opened via Chrome browser On the other hand, this malware can still be executed by simple clicking the script itself, via the attachment in spam emails, through an object within an Office document, or even via command line.bitcoin mit handy bezahlenIts file names can be any of the following: Based on our findings, RAA employs CryptoJS for its encryption process.bitcoin brasil lojasIt is an open-source library of cryptographic algorithms implemented in JavaScript, supporting AES-128, AES-192 and AES-256: Encrypted data are appended with a .locked extension to their filenames.casino evolution bitcoinTo date, RAA encrypts 16 file types.hourly invest bitcoin

It skips encrypting data with filenames like “.locked”, “~”, and “$.”  Furthermore, it does not encrypt files located in the following directories: Using base64 encoding, RAA also drops and extracts data-stealing FAREIT (also known as Pony malware).ethereum miner software windowsIt is a known data-stealing malware that pilfers stored credentials from File Transfer Protocol (FTP) clients and other file management software, email clients such as Outlook, web browsers and even bitcoin wallets, and sends them to its command and control server (C&C).ethereum price jumpIt also deletes the following registry related to Volume Shadow Service: As such, backup and restore operations are disabled while applications on the systems continue to write to the volumes.bitcoin dying 2014

This, of course, adds another layer of prevalence to this threat.Reminiscent of DMA Locker 4.0 (detected as RANSOM_MADLOCKER.B) and certain variants of JIGSAW crypto-ransomware, RAA offers to unlock a few files for free, presumably to make the promise of actually decrypting the files appear more legitimate.github bitcoin minerIt even has a dedicated “customer” support via Bitmessage, a decentralized P2P communications protocol used to send encrypted messages.bitcoin hourly investmentCybercriminals continue to craft clever tactics to infect as many systems with ransomware as possible.bitcoin 101 redditIn this case, they leverage a scripting language to avoid detection and consequently, removal from the system.litecoin wiki

Backing up files using the 3-2-1 rule is one way to mitigate the risks of ransomware threats such as RAA.Organizations and users need a multi-layered defense against this type of threats.bitcoin 2800Trend Micro offers different solutions to protect enterprises, small businesses, and home users to help minimize the risk of getting affected by this threat.btc graph bitcoinEnterprises can benefit from a multi-layered, step-by-step approach in order to best mitigate the risks brought by these threats.bitcoin mining rig kaufenEmail and web gateway solutions such as Trend Micro™ Deep Discovery™ Email Inspector and InterScan™ Web Security prevent ransomware from ever reaching end users.bitcoin kursentwicklung 2013

At the endpoint level, Trend Micro Smart Protection Suites deliver several capabilities like behavior monitoring and application control, and vulnerability shielding that minimize the impact of this threat.bitcoin fork may 2017Trend Micro Deep Discovery Inspector detects and blocks ransomware on networks, while Trend Micro Deep Security™ stops ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.bitcoin miner hardware amazonFor small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security.wow ethereum prison locationIts endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order to detect and block ransomware.buy litecoin with debit card

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.Users can also use our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying for the use of the decryption key.litecoin gpu mining howtoRelated hashes to this attack: With additional analysis by Jasen Sumalapao and Jaaziel Carlos Updated on June 22, 2016, 03:27 AM (UTC-7) Updated to remove the file, RANSOMWARESCRIPT_PONYDOWNLOADER.js, from the list of attachment file names used by the threat in its spammed message because we were informed that this a renamed file.bitcoin bet script