A ransomware composed entirely of JavaScript?

Security researcher Lawrence Abrams has noticed a new ransomware strain composed entirely of JavaScript.


The ransomware, dubbed RAA, has been circulating through attachments masquerading as Word .doc files according to this post on Lawrence’s site BleepingComputer.com:

RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js. When the JS file is opened it will encrypt the computer and then demand a ransom of ~$250 USD to get the files back.

When a victim double-clicks on the RAA Ransomware JS file, it will generate a fake word document in the %MyDocuments% folder. This word document will have a name similar to doc_attached_CnIj4 and will be automatically opened to make it look like the attachment was corrupted.

While the victim thinks the attachment is corrupted, in the background the RAA Ransomware will start to scan all the available drives and determine if the user has read and write access to them. If the drives can be written to, it will scan the drive for targeted file types and use code from the CryptoJS library to encrypt them using AES encryption.

After, the ransomware will create a ransom note on the desktop:


The english translation of message:

*** ATTENTION! ***
Your files have been encrypted virus RAA.
For encryption was used algorithm AES-256 is used to protect information of state secrets.
This means that data can be restored only by purchasing a key from us.
Buying key - a simple deed.

All you need to:
1. Send your ID E993A9FD-C5D9-4128-AF38-71A54E1258DA to the postal address
[email protected]
2. Test decrypt few files in order to make sure that we do have the key.
3. Transfer 0.39 BTC ($ 250) to Bitcoin-address
15ADP9ErZTNgU8gBoJWFCujGbJXCRDzgTv.
For information on how to buy Bitcoin for rubles with any card -
//www.bestchange.ru/visa-mastercard-rur-to-bitcoin.html
4. Get the key and the program to decrypt the files.
5. Take measures to prevent similar situations in the future.

Importantly (1).
Do not attempt to pick up the key, it is useless, and can destroy your data permanently.

Importantly(2).
If the specified address ([email protected]) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address - BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv).
More details about the program - //bitmessage.org/wiki/Main_Page

Importantly (3).
We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection.

README files located in the root of each drive.

More information on this thread on bleepingcomputer.com forum:

http://www.bleepingcomputer.com/forums/t/617210/raa-sep-locked-ransomware-help-support-topic-readmeidrtf/

Comments