RAA Ransomware – Born From JavaScript

RAA is a brand new ransomware family which uses only JavaScript code to infect computers and encrypt their data

In fact, RAA is not the first JS-based ransomware threat, however, it is the first one that relies 100% on JavaScript to infect machines.

The Emisoft security expert Fabian Wosar discovered Ransom32 in January, this year. This is the first ransomware family written in JavaScript, though Ransom32 was only coded in Node.js, and hackers continue to distribute it as an executable. At the same time, RAA is delivered as a .js file. Cyber criminals attach this file to a spam email, making it to look like an Office document. In this way, most computer users might download and execute this file.

Usually, this file runs via the Windows Script Host (WSH), which executes its commands system-wide, giving the malicious script access to system utilities. The malicious JavaScript code which this file contains, is obfuscated to deter security experts from reverse-engineering its source.

The RAA payload includes the so-called CryptoJS library. This is a JavaScript toolkit that adds support for cryptographic functions in JavaScript. Also, CryptoJS allows RAA to encrypt users files. The same RAA payload contains functions which download and install the Pony infostealer. This malware family can collect browser passwords and other information from a PC. Usually, Pony is used for reconnaissance, so hackers get a better overview of the infected system. Often, Pony goes hand in hand with banking trojans, but this behavior was not observed for RAA infections.

To be precise, RAA only encrypts 16 file types and then displays its ransom note. The security experts who spotted the malware first only came across RAA versions with a ransom note in Russian.

RAA ransomware asks for 0.39 Bitcoin (~$250) as payment, claims to use AES-256 encryption, and asks users to contact the malware developer via email to receive their decryption keys.

It will be rather difficult for the malware victims to recognize RAA infections because the ransomware uses the “.locked” file extension when it encrypts users files.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.