Ra Ransomware

The Ra Ransomware is an encryption ransomware Trojan that was observed on July 9, 2018. The Ra Ransomware is delivered to victims through the use of corrupted phishing email messages containing a file attachment that uses embedded macros to download and install the Ra Ransomware onto the victim's computer. Because of this, learning how to recognize spam email tactics and handle unsolicited email attachments is a fundamental part of preventing attacks like the Ra Ransomware.

How the the Ra Ransomware Attack Works

Once the Ra Ransomware is installed on the victim's computer, the Ra Ransomware will use the RSA and AES encryptions to make the victim's files inaccessible. The Ra Ransomware will target a wide variety of the user-generated files, which may include media files, documents, databases, configuration files, archives, and numerous other file types. The files that threats like the Ra Ransomware will target in their attacks include:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .do.

The Ra Ransomware is designed to rename any files compromised by the attack, adding a string of five random letters as a new file extension to the affected files and scrambling the name of the affected files using base64. The Ra Ransomware delivers a ransom note in the form of an HTML file named 'Recovery instructions.html,' which is dropped on the infected computer. The Ra Ransomware ransom note reads as follows:

'All your files are belong to us!
All your personal files, including, but not limited to:
Photos, videos, databases and office projects have been encrypted using a mix of two very strong cryptographic algorithms – AES-128 and RSA-1028. Original files have been overwritten, recovery tools and software will not help you.
The only way to recover your files, are to meet our demands.
Be warned, we won't be able to recover your files if you start fiddling with them.
You have 120 hours (5 days) from this moment to send us payment, or you files will be lost in eternity.
To start the recovery process you need to download and install the Tor browser, which is easily done from their own home-page.
Once you have the Tor browser running you need to navigate to hxxp://recovery6m3lvkxg[.]onion and then input your personal id displayed below.
Further payment instructions will be given once logged in.'

Malware specialists strongly advise computer users against connecting to the Ra Ransomware's payment portal, since paying the Ra Ransomware ransom allows the criminals to continue developing and releasing Ra Ransomware variants.

Protecting Your Data from Threats Like the Ra Ransomware

The best protection against these threats is to have file backups, stored on external devices, such as the cloud. Apart from file backups, PC security researchers recommend that computer users have a security program. Since the Ra Ransomware is delivered using spam email messages, learning to deal with this content kind is also important.

SpyHunter Detects & Remove Ra Ransomware