A new ransomware family called RAA uses only JavaScript code to infect computers and encrypt their data. RAA is not the first JS-based ransomware but is the first that relies 100 percent on JavaScript to infect computers.

In January, Emsisoft security researcher Fabian Wosar discovered Ransom32, the first ransomware family written in JavaScript, but Ransom32 was only coded in Node.js and crooks still distributed it as an executable.

On the other hand, RAA is delivered as a .js file. Crooks attach this file to spam email, disguising it to look like an Office document. Some users might download and execute this file.


RAA works entirely via JavaScript

On most computers, this runs via the Windows Script Host (WSH), who executes its commands system-wide, giving the malicious script access to system utilities.

The malicious JavaScript code contained in this file is obfuscated to deter security researchers from reverse-engineering its source.

The RAA payload includes the CryptoJS library. This JavaScript toolkit adds support for cryptographic functions in JavaScript. CryptoJS allows RAA to encrypt user files.

The same RAA payload also contains functions that download and install the Pony infostealer. This malware family can collect browser passwords and other information from a PC. Pony is usually used for reconnaissance, so crooks get a better overview of the infected system. Often, Pony goes hand-in-hand with banking trojans, but this behavior was not observed for RAA infections.

RAA is currently undeceryptable

RAA only encrypts 16 file types and then displays its ransom note. The researchers that spotted the malware first, @JAMES_MHT and @benkow_, only came across RAA versions with a ransom note in Russian.

The ransomware asks for 0.39 Bitcoin (~$250) as payment, claims to use AES-256 encryption, and asks users to contact the malware author via email to receive their decryption keys. According to Bleeping Computer, RAA is currently undecryptable.

Victims will have a hard time recognizing RAA infections because the ransomware uses the “.locked” file extension when it encrypts user files. Below is a screenshot of the RAA ransom note if you need a visual reference.

RAA ransom note

RAA ransom note

Let’s block ads! (Why?)

Related Posts

Facebook Comments

Return to Top ▲Return to Top ▲