RAA Ransomware Uses JavaScript for Disguise to Infect Computers and Encrypt Data

raa ransomware using javascriptIt's almost a norm to expect cybercrooks to conjure up new methods for infiltrating computers with malware. Today we discover the latest in ransomware, RAA Ransomware, which utilizes JavaScript to infect systems. Such an approach is unconventional but by using JavaScript, RAA Ransomware can be attached to spam messages disguised as an Office document that computer users are more apt to opening.

The first time that we have seen ransomware utilize JavaScript was in Ransom32, or JS.Crypto, a threat known for its relentless efforts to infect multiple operating systems. Use of the JavaScript platform when it comes to ransomware opens up several possibilities with one of them being the ability to infect devices across different platforms and give the threat's malicious scripts access to system utilities.

RAA Ransomware may be a new family of threats that end up having several variations, all armed with the same JavaScript framework.

RAA Ransomware includes the CryptoJS library, a toolkit that adds support for cryptographic functions within JavaScript itself. The CryptoJS algorithm allows for file encryption by RAA Ransomware, which has a base64-encoder and information-stealing abilities. Such a function permits data on systems infected with RAA Ransomware to be stolen or collected and sent to the authors of RAA Ransomware.

The traditional functions of RAA Ransomware are alive and well despite it being wholly based on JavaScript. Those traditional functions, such as display of a ransom note and an email address to contact to set up the ransom payment, are all part of RAA Ransomware's structure. The ransom from RAA asks for a fee of 0.39 Bitcoin, which is about $250. The encryption used is the familiar AES-256 encoding, which is virtually undefeatable unless the proper decryption key is provided.

The difficulty of recognizing RAA Ransomware is part of what has set it apart from other ransomware. With the functionality of JavaScript and its cloaking abilities, victims may have a hard time deciphering RAA Ransomware among legitimate attachment files.

The encryption method of RAA Ransomware uses the ".locked" file extension, further adding to the confusion of identifying the threat. Looking into the makeup of RAA Ransomware, some computer security researchers, such as those from the @MalwareHunterTeam, have similarly compared it to the Pony Infostealer threat. As such information does not come to us as a surprise, RAA Ransomware is verifiably a new type or ransomware that has multiple layers of actions that could result in relinquishing information about the infected system or lead to theft of data, in addition to encryption of files.