A new ransomware was discovered by security researchers @JAMESWT_MHT and @benkow_ called RAA that is made 100% from JavaScript. In the past we had seen a ransomware called Ransom32 that was created using NodeJS and packaged inside an executable. RAA is different, because it is is not delivered via an executable, but rather is a standard JS file.

By default, the standard implementation of JavaScript does not include any advanced cryptography functions. To get around this, the RAA developers utilized the CryptoJS library so that AES encryption could be used to encrypt the files.

RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js. When the JS file is opened it will encrypt the computer and then demand a ransom of ~$250 USD to get the files back. To make matters worse, it will also extract the embedded password stealing malware called Pony from the JS file and install it onto the onto the victim's computer. More information about the embedded Pony malware can be found here.

For those who need support with this ransomware, we have a dedicated forum topic here: RAA-SEP (.locked) Ransomware Help & Support Topic - !!!README!!! .rtf

How RAA Encrypts a victim's Files

As already stated, RAA is distributed via email with an attached Javascript (.JS) file. When a victim double-clicks on this JS file, Windows will execute the default program associated with javascript files. By default, this is the Windows Script Host or wscript.exe.

When the file is executed, it will generate a fake word document in the %MyDocuments% folder. This word document will have a name similar to doc_attached_CnIj4 and will be automatically opened to make it look like the attachment was corrupted.

Fake Attachment

While the victim thinks the attachment is corrupted, in the background the RAA Ransomware will start to scan all the available drives and determine if the user has read and write access to them. If the drives can be written to, it will scan the drive for targeted file types and use code from the CryptoJS library to encrypt them using AES encryption.

AES Encryption Function

When a file has been encrypted, it will append the .locked extension to the filename. This means that a file called test.jpg would be encrypted and renamed as test.jpg.locked. The file types targeted by this infection are:

.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv

When encrypting files, RAA will skip any files whose filenames contain .locked, ~, and $ or are in the following folders:

Program Files, Program Files (x86), Windows, Recycle.Bin, Recycler, AppData ,Temp, ProgramData, Microsoft

While the ransomware executes it will also delete the Windows Volume Shadow Copy Service (VSS) so that it cannot be used to recover files from the shadow volume copies. As there are two obfuscated functions that deal with the VSS service, it is unclear if they delete the shadow copies before deleting the service. As we further deobfuscate the source code, we will update this article.

Deleting the VSS Service

Finally, the ransomware will create a ransom note on the desktop called !!!README!!![id].rtf, with [ID] being the unique ID assigned to the victim. The text of this ransom note is in Russian and you can see its contents below.

RAA Ransom Note

BleepingComputer member Amigo-A has translated the Russian ransom note to English below:

*** ATTENTION! *** Your files have been encrypted virus RAA. For encryption was used algorithm AES-256 is used to protect information of state secrets. This means that data can be restored only by purchasing a key from us. Buying key - a simple deed. All you need to: 1. Send your ID E993A9FD-C5D9-4128-AF38-71A54E1258DA to the postal address raa-consult1@keemail.me. 2. Test decrypt few files in order to make sure that we do have the key. 3. Transfer 0.39 BTC ($ 250) to Bitcoin-address 15ADP9ErZTNgU8gBoJWFCujGbJXCRDzgTv. For information on how to buy Bitcoin for rubles with any card - https://www.bestchange.ru/visa-mastercard-rur-to-bitcoin.html 4. Get the key and the program to decrypt the files. 5. Take measures to prevent similar situations in the future. Importantly (1). Do not attempt to pick up the key, it is useless, and can destroy your data permanently. Importantly(2). If the specified address (raa-consult1@keemail.me) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address - BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv). More details about the program - https://bitmessage.org/wiki/Main_Page Importantly (3). We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection. README files located in the root of each drive.

The JS file will then be set as an autorun so that it is executed everytime the victim logs into Windows. This would also allow it to encrypt any new documents that were created since the last login.

At this point there is no way to decrypt the files for free. If anything is discovered in the future, this article will be updated.

RAA JS file also installs an embedded Pony password-stealing Trojan

If it wasn't bad enough for a victim to have their files encrypted, the RAA ransomware also installs the Pony password-stealing Trojan on to the victim's computer. Instead of downloading and installing Pony from the Internet, the malware developers converted the Pony malware into a base64 encoded string that they embedded into the JS file.

You can see a portion of the encoded file as the variable data_pn in the obfuscated code snippet below.

Obfuscated function that installs Pony

Below is the same function, but now deobfuscated so that you can see exactly what is going on. When this function is executed, the data_pn file is converted encoded back to its original format and saved as %MyDocuments%\st.exe. Once saved, it will execute the Pony executable.

Deobfuscated function that installs Pony

As the JS file is set as an autorun, Pony will be extracted and executed every time the user logs into the computer.

How to prevent RAA from Infecting a Computer

When a JavaScript file, such as RAA, executes outside of the browser it requires an interpreter that can read the file and execute the JavaScript commands within it. As most people do not need to execute Javascript outside of a web browser, it is suggested that everyone disables the Windows Script Host so that these types of files are not allowed to execute.

If you wish to disable the windows script host, which is enabled by default in Windows, you can add the following DWORD Registry entry to your computer and set the value to 0.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled

Now that the Windows Script Host is disabled, any time someone on that computer tries to execute a JS file outside of the browser it will not allow it and display the following alert.

Windows Scripting Host is Disabled Alert

As a reminder, this setting does not affect JavaScript from running within the browser. This only prevents JavaScript (.JS) files from executing outside the browser.

Updates:

6/14/16: MalwareHunterTeam notified me that the Pony Trojan was actually embedded in the Javascript file as an encoded string. New section added to provide more info on the embedded Pony and showing the encryption function and the same function I deobfuscated. I also included info about the fake Word document that is displayed on the execution of the JS file.

6/20/16: Added information about Wscript handling the execution of the javascript code and a new section on how to prevent javascript files from executing.

File associated with the RAA Ransomware

%Desktop%\!!!README!!![id].rtf %MyDocuments%\doc_attached_[random_chars] %MyDocuments%\st.exe

Registry entries associated with the RAA Ransomware