Threat Database Ransomware RAA Ransomware

RAA Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 3
First Seen: June 15, 2016
Last Seen: November 11, 2020
OS(es) Affected: Windows

There has been a noticeable escalate in ransomware attacks in spring and summer of 2016. The RAA Ransomware is a ransomware Trojan that encrypts its victims' files and then demands the payment of a ransom. PC security analysts are strongly against paying the RAA Ransomware ransom. Fortunately, it appears that there is a decryption utility available that can help computer users to recover the files encrypted by the RAA Ransomware without having to pay the ransom this threat demands from them. The RAA Ransomware does not seem to be programmed particularly well, and it is probably the work of amateurs. Regardless, it is easy to confuse the RAA Ransomware with a more severe threat, paying the ransom instead of recovering the affected files with a decryption utility.

The Main Target of the RAA Ransomware Infection is Russian-Speaking Computer Users

The RAA Ransomware seems to be targeted towards Russian-speaking computer users, although the RAA Ransomware can infect computers outside of Russia. The RAA Ransomware's ransom note is named !!!README!!!.rtf, and alerts the computer user that the files were encrypted using an AES-256 encryption algorithm. The RAA Ransomware demands that computer users send their personal ID number to the email address to receive payment instructions. The RAA Ransomware demands the payment of $250 USD for the decryption key and offers to decrypt a few of the victim's files. The RAA Ransomware may be distributed using corrupted email attachments. Files encrypted using the RAA Ransomware will have the extension '.LOCKED'. The RAA Ransomware targets the following file extensions:

.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv.

If the file path contains one of the following strings, the RAA Ransomware skips those files:

Windows, RECYCLER, Program Files, Program Files (x86), Recycle.Bin, APPDATA, TEMP, ProgramData, and Microsoft.

The RAA Ransomware does delete Shadow Volume Copies. One particularly curious aspect of the RAA Ransomware is that it is programmed using JavaScript and packaged with a password collecting threat known as Pony. The following is a translation of the RAA Ransomware ransomware message (the original is in Russian):

*** ATTENTION! ***
Your files have been encrypted virus the RAA.
For encryption was used algorithm AES-256, which used to protect information of state secrets.
This means that data can be restored only by purchasing a key from us.
Buying key - a simple deed.
All you need to:
1. Send your ID E993A9FD-C5D9-4128-AF38-71A54E1258DA to the postal address
2. Test decrypt few files in order to make sure that we do have the key.
3. Transfer 0.39 BTC ($ 250) to Bitcoin-address
For information on how to buy Bitcoin for rubles with any card -
4. Get the key and the program to decrypt the files.
5. Take measures to prevent similar situations in the future.
Importantly (1).
Do not attempt to pick up the key, it is useless, and can destroy your data permanently.
If the specified address (the you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address - BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv).
More details about the program -
Importantly (3).
We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection.
README files located in the root of each drive

Preventing the RAA Ransomware Attacks

Malware researchers strongly advise against paying the RAA Ransomware ransom. When dealing with these threats, it is important to take preventive measures. Malware researchers also advise computer users to backup their files on an external device. It is also essential that computer users use a reliable security application that is fully up-to-date to prevent threats like the RAA Ransomware from entering a computer. A good anti-spam filter and good security practices also can prevent computer users from opening corrupted email attachments containing threats like the RAA Ransomware.

Related Posts


Most Viewed