14 DAY TRIAL // A new ransomware family called RAA uses only JavaScript code to infect computers and encrypt their data. RAA is not the first JS-based ransomware piece, but it is the first that relies 100 percent on JavaScript to infect computers.
In January, Emsisoft security researcher Fabian Wosar discovered Ransom32, the first ransomware family written in JavaScript, but Ransom32 was only coded in Node.js, and crooks still distributed it as an executable.
On the other hand, RAA is delivered as a .js file. Crooks attach this file to spam email, disguising it to look like an Office document. Some users might download and execute this file.
RAA works entirely via JavaScript
The malicious JavaScript code contained in email attachment is obfuscated to deter security researchers from reverse-engineering its source.
On most computers, this code runs via the Windows Script Host (WSH), which executes its commands system-wide, giving the malicious script access to system utilities.
The JS file will also create a fake Word document and open it. The file contains random files to fool users into thinking the document is corrupted.
The RAA payload includes the CryptoJS library. This JavaScript toolkit adds support for cryptographic functions in JavaScript. CryptoJS allows RAA to encrypt user files.
The same RAA payload also contains a base64-encoded version of the Pony infostealer. This malware family can collect browser passwords and other information from a PC. Pony is usually used for reconnaissance, so crooks get a better overview of the infected system. Often, Pony goes hand in hand with banking trojans, but this behavior was not observed for RAA infections.
RAA is currently undecryptable
RAA only encrypts 16 file types and then displays its ransom note. The researchers who spotted the malware first, @JAMES_MHT and @benkow_, only came across RAA versions with a ransom note in Russian.
The ransomware asks for 0.39 Bitcoin (~$250) as payment, claims to use AES-256 encryption, and asks users to contact the malware author via email to receive their decryption keys. According to Bleeping Computer, RAA is currently undecryptable.
Victims will have a hard time recognizing RAA infections because the ransomware uses the ".locked" file extension when it encrypts user files. Below is a screenshot of the RAA ransom note if you need a visual reference.
UPDATE: Article updated with more technical information on the Pony infostealer received from @MalwareHunterTeam.
This JS drop Pony and a ransomware https://t.co/3dwJvax99G management C&C: startwavenow\.com/ pic.twitter.com/mo4q7VYdEJ — Benkow moʞuƎq (@benkow_) June 13, 2016
@benkow_ @JAMESWT_MHT @jedisct1 @Antelox It must be 100% in js, as it's only drops one exe, which is the Pony. cc @BleepinComputer — MalwareHunterTeam (@malwrhunterteam) June 13, 2016
@JAMESWT_MHT @malwrhunterteam @jedisct1 @Antelox self called "RAA" and seems to be 100% in JS pic.twitter.com/wOob6BFWLY — Benkow moʞuƎq (@benkow_) June 13, 2016