Petronella Blog Archive

Visit our New Blog

How to Easily Prevent a Beastly New Virus

Blog Post

A new ransomware was discovered called RAA by security researchers, and it is a beast. Not only does it demand $250 for the files to be unlocked, but it also leaves behind password stealing malware called “Pony.”

RAA is the first ransomware to be created 100% from JavaScript and is unique in that it is able to be delivered as a standard JS file. Ransom32 was made using NodeJS but it, like other ransomware, was then hidden inside an executable.

The RAA developers were able to use the CryptoJS library to encrypt the files, since standard JS does not come equipped with cryptography functions advanced enough to encrypt files on their own. It has been distributed as email attachments that have doc file names such as mgJaXnwanxlS_doc_.js and when the target opens the file, havoc is unleashed.

The first thing that happens when the victim double-clicks the “file” is that Windows will execute whichever default file is associated with JS files (the default is Windows Script Host or wscript.exe), since it is actually a JS file and not a document. Once executed, it has the ability to then create a FAKE word doc with a name similar to the attachment in the %MyDocuments% folder. The fake doc is then opened automatically so that the target thinks the attachment was corrupted.

But by then it is already too late.

Behind the scenes, RAA begins scanning drives and makes sure the user has both read and write access. If the user does not, then they are safe. But if the user does (which, most do), RAA then use CryptoJS code to encrypt the intended file types, using AES encryption. Once the file has been kidnapped, it then changes .locked extension to the file name. For example, RAA would rename “word.doc” to “word.doc.locked”.

RAA targets the following file types:

  • .doc
  • .xls
  • .rtf
  • .pdf
  • .dbf
  • .jpg
  • .dwg
  • .cdr
  • .psd
  • .cd
  • .mdb
  • .png
  • .lcd
  • .zip
  • .rar
  • .csv

RAA skips files containing:

  • .locked
  • ~
  • $

RAA skips files located in the following folders:

  • Program Files
  • Program Files (x86)
  • Windows
  • Recycle.Bin
  • Recycler
  • AppData
  • Temp
  • ProgramData
  • Microsoft

Maybe you’re thinking, can’t the victim just use Windows Volume Shadow Copy Service (VSS) so the shadow volume copies can be recovered? Well, the creators thought their target might think of that as well, so in addition to the ransomware and malware, it also deletes VSS.

RAA’s dove song is in the form of a ransom note. It is left on your desktop and it is named !!!README!!![id].rtf (where [id] is the victim’s own identification code).

This note is written in Russian, but the English translation is as follows:

*** ATTENTION! ***

Your files have been encrypted virus RAA.

For encryption was used algorithm AES-256 is used to protect information of state secrets.

This means that data can be restored only by purchasing a key from us.

Buying key - a simple deed.

All you need to do:

1. Send your ID E993A9FD-C5D9-4128-AF38-71A54E1258DA to the postal address raa-consult1@keemail.me.

2. Test decrypt few files in order to make sure that we do have the key.

3. Transfer 0.39 BTC ($ 250) to Bitcoin-address

15ADP9ErZTNgU8gBoJWFCujGbJXCRDzgTv.

For information on how to buy Bitcoin for rubles with any card -

//www.bestchange.ru/visa-mastercard-rur-to-bitcoin.html

4. Get the key and the program to decrypt the files.

5. Take measures to prevent similar situations in the future.

Importantly (1).

Do not attempt to pick up the key, it is useless, and can destroy your data permanently.

Importantly (2).

If the specified address (raa-consult1@keemail.me) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address - BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv).

More details about the program - //bitmessage.org/wiki/Main_Page

Importantly (3).

We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection.

The files are now locked, and there is no way to decrypt them without paying the ransom. Here is the kicker – RAA does not just steal your old files; the script is set to autorun so it executes each time Windows is logged onto.

As if all of that is not bad enough, in addition to the kidnapping of files, RAA installs malware called Pony, which is a Trojan variety virus, and which will steal the victim’s passwords. And Pony is not downlaoaded from the internet; the creators were able to create code that is embedded into the JS file.

Like the ransomware, Pony is set to autorun so it will also run every time the user logs onto the computer.

Disable Windows Script Host to Prevent Successful RAA Attack

Windows Script Host is essentially the interpreter of RAA and the computer. Since most users have no need to open JS outside of a browser, disabling Windows Script Host will prevent the virus from running, and it will not inconvenience the user.

This is very easy to do yourself by adding the following DWORD Registry entry to your computer and setting the value to 0.

HKEY_LOCAL_MACHINESoftwareMicrosoftWindows Script HostSettingsEnabled

Once disabled, nobody will be able to open a JS file outside of the browser, and an alert will pop up if someone does try.

This bug is nasty, but with just a few simple steps, you and your employees can avoid being victimized by it. Please contact us if you have any additional questions or if you would like assistance ensuring the security of your computers.