On the other hand, RAA is delivered as a .js file. Crooks attach this file to spam email, disguising it to look like an Office document. Some users might download and execute this file.
On most computers, this runs via the Windows Script Host (WSH), who executes its commands system-wide, giving the malicious script access to system utilities.
The same RAA payload also contains functions that download and install the Pony infostealer. This malware family can collect browser passwords and other information from a PC. Pony is usually used for reconnaissance, so crooks get a better overview of the infected system. Often, Pony goes hand-in-hand with banking trojans, but this behavior was not observed for RAA infections.
RAA is currently undeceryptable
RAA only encrypts 16 file types and then displays its ransom note. The researchers that spotted the malware first,and , only came across RAA versions with a ransom note in Russian.
The ransomware asks for 0.39 Bitcoin (~$250) as payment, claims to use AES-256 encryption, and asks users to contact the malware author via email to receive their decryption keys. According to, RAA is currently undecryptable.
Victims will have a hard time recognizing RAA infections because the ransomware uses the “.locked” file extension when it encrypts user files. Below is a screenshot of the RAA ransom note if you need a visual reference.
This JS drop Pony and a ransomwaremanagement C&C: startwavenow.com/ — Benkow moʞuƎq (@benkow_)
It must be 100% in js, as it’s only drops one exe, which is the Pony. cc — MalwareHunterTeam (@malwrhunterteam)
self called “RAA” and seems to be 100% in JS — Benkow moʞuƎq (@benkow_)