RAA Ransomware is Fully JavaScript

In January 2016, Ransom32 was discovered by Fabian Wosar, Security Expert of Emisoft. This is first family of ransomware that was JavaScript written, although Ransom32 was just Node.js coded and the hackers continue distributing it as executable. Simultaneously, RAA was delivered as .js file. For making it to resemble an Office document, the file was attached with a spam email by cyber criminals. Like this, most PC users might be prompted for downloading and executing this file.

The malicious code of JavaScript enclosed in an email attachment is obfuscated, so that the security researchers cannot reverse-engineer its source. Code runs using the WSH (Windows Script Host), which performs its commands system-wide, enabling malicious script to have access to the system utilities.

In the recent months, attackers have started this technique; however Microsoft warned about a rise in malicious email attachments that contain files of JavaScript in April. Security researchers of ESET warned last month about a spam wave, which circulates Locky ransomware via .js attachments.

In both the cases, files of JavaScript are used as the malware downloaders-scripts intended in downloading and installing a conventional malware program.

Experts of tech support forum BleepingComputer.com say that RAA depends on CryptoJS, which is a legitimate library of JavaScript, for implementing the encryption routine. pcworld.com posted on June 14th, 2016, stating that the implementation looks solid with the use of AES-256 encryption algorithm.

RAA leaves a ransom note on the desktops instructing victims to send 0.39 Bitcoin, or $250, a particular address of Bitcoin. The note specifies that the victims can get a key for decrypting their files, only after paying the ransom amount.

Victims will face a tough time recognizing the RAA infections, as file extension ".locked" was used by the ransomware while encrypting files of users.

It is not very common for people sending legitimate applications via email that was JavaScript written, and hence users should stop opening this kind of file, even when it is enclosed in .zip archive.

It is quite difficult for malware victims recognizing RAA infections, as ransomware uses file extensions ".locked" while encrypting user's files.

» SPAMfighter News - 6/21/2016