RAA also includes a version of the Pony malware embedded inside of it, which RAA also installs on an infected PC, according to an analysis of the malware published by ReaQta, a cybersecurity firm that was formed in 2014 by former employees of the Milan, Italy-based nation-state spyware shop Hacking Team.
While Pony can be used to download additional pieces of malware, for the RAA infection, it's also configured to steal passwords. "This malware can collect browser passwords and other user information from an infected machine and is usually used by hackers to gather critical information on infected systems," researchers from security firm Trend Micro say in a blog post. While Pony often uses behavior associated with banking Trojans, such as stealing access credentials for online accounts, at least to date, RAA's version of Pony doesn't appear to have been doing this.
After the ransomware encrypts files and reboots, Pony then gets executed, while end users see a ransom note written in Russian, according to ReaQta (see Please Don't Pay Ransoms, FBI Urges). "The ransomware asks for 0.39 bitcoins [$300] and due to the language of the refund information file, it's clear that the targeted country is Russia," ReaQta says.
But as Trend Micro notes: "It's only a matter of time until it's distributed more widely and localized for other languages."
SANS Sounds Warning