How it works
According to Bleeping Computers, after getting an email with the RAA Ransomware JS file and double clicking on the attachment within the email, a fake word document will be generated in %MyDocument% folder. The name of the document will be similar to doc_attached_CnIj4, and it opens up to trick victims into believing that the attachment they received is corrupted. In the background, the RAA ransomware will check if the victim’s computer has write access and if it does then it will use AES encryption to encrypt the different files utilizing code from CryptoJS library. Once the file is encrypted it will add .locked after the extension of the file and the targeted files are: .doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv.
The ransomware does omit some of the files from encryption that contain .locked, ~, and $ or is in these folders: Program Files, Program Files (x86), Windows, Recycle.Bin, Recycler, AppData, Temp, ProgramData, Microsoft. The Windows Volume Shadow Copy Service (VSS) is deleted to prevent the recovery of files from there. The final step is the ransom note created on the desktop. The JS file will execute every time the victim logs into Windows because the autorun feature is on.
The developers of this ransomware converted the Pony malware into base64 encoded and this also executes every time a new session begins. Pony malware is used to steal password and information from a computer. Malicious actors used it to gain intelligence of the system they infected and is usually associated with banking Trojans, but in this case, it wasn’t for RAA. According to Bleeping Computers RAA is currently undecryptable.
- Disable windows scripting host
- Avoid open emails from unknown sources
- Avoid clicking attachment from unknown sources
- Practice backing up important files
- Actively monitor activities
- Block JS file attachments