New RAA Ransomware Uses Only JavaScript to Infect Computers

raa-ransomwareWhile ransomware has exploded into a number of different families and variants since the beginning of 2016, researchers have yet again discovered a new ransomware that is quite “unique” in its own way. According to findings posted on BleepingComputer, the ransomware called RAA is composed entirely of JavaScript and has been spreading via email attachments that pretend to be doc files with names like mgJaXnwanxlS_doc_.js. Once the JavaScript is opened, it will encrypt files in the affected machine and demand a ransom amounting roughly to US$250 to get the files.

Reportedly, RAA infections display the ransom note in Russian, however, it’s only a matter of time until it’s distributed more widely and localized for other languages. Additionally, the ransomware also infects the victim’s computer by installing Pony, a well-known password-stealing malware embedded in the JavaScript file. This malware can collect browser passwords and other user information from an infected machine, and is usually used by hackers to gather critical information on infected systems. Pony is similar with banking trojans, but its behavior was not manifested in RAA.

The RAA ransomware is considered unique because it’s rare to see client-side malware written in web-based languages like JavaScript, which are primarily designed to be interpreted by browsers. Microsoft has previously warned about a spike in malicious email attachments containing JavaScript files in April 2016. The following month, security researchers alerted about spam emails that delivers and distributes the Locky ransomware via .js attachments. Both Locky and RAA uses JavaScript files as malware downloaders—designed to download and install a traditional malware program. With RAA however, the entire ransomware is written in JavaScript.

[READ: New Crypto-ransomware Locky uses malicious Word macros]

The ransomware was initially discovered by two security researchers, @JAMES_MHT and @benkow_. According to them, RAA ransomware encrypts files using a code from an open source library that’s fairly easy to use. The open source library called CryptoJS handles cipher algorithms likes AES, DES, etc. For example, RAA scans the victim’s machine and encrypts select files with AES-256. Similar to other strains of ransomware, RAA appends ‘.locked’ to the end of filenames. It targets images, Word, Excel, and Photoshop, storage formats such as zip and .rar files, sparing Program files, Windows files, AppData, and Microsoft files. 

“At this point, there is no way to decrypt the files for free,” Lawrence Abrams, founder of Bleeping Computer, said in his blog post. Meanwhile, users are advised to avoid opening attachments with the filenames mentioned above, even if they’re enclosed in a .zip archive.


Update: June 21, 2016

Upon further analysis, Trend Micro discovered that the RAA ransomware (detected as RANSOM_JSRAA.A) is written in JScript and not JavaScript. According to a blog post, the scripting language, JScript, is designed for Windows® systems and executed by the Windows® Scripting Host engine through Microsoft Internet Explorer® (IE). However, it cannot run via the newer Microsoft Edge® browser. JScript carries some semblances with JavaScript because they are both derived from ECMAScript (a standard for scripting language). Jscript is the implementation of ECMAScript while JavaScript is the Mozilla implementation of ECMAScript. Jscript is capable of accessing objects exposed by IE and some systems objects such as the WScript.

It is believed that the attackers behind the RAA ransomware are using the JScript scripting language to make detection more difficult and to make obfuscation easier. Most malware are written in compiled programming languages with ransomware often disguised as executables. Hence, using a language that is not typically used to deliver malware, such as scripting languages, could be less prone to detection. It also lends more time to cybercriminals to maximize their profit while the ransomware remains undetected.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.