New Ransomware ‘Undecryptable’

A new ransomware family called RAA uses only JavaScript code to infect computers and encrypt their data, researchers said.

RAA is not the first JavaScript-based ransomware piece, but it is the first that relies 100 percent on JavaScript to infect computers.

RELATED STORIES
New Ransomware Taking Over
Hike in New Type of Ransom Attacks
New Ransomware Hits, But Asks Small Fee
Ransomware Ups its Game

Ransom32 is the first ransomware family written in JavaScript, but at first Ransom32 only ended up coded in Node.js, but attackers still distributed it as an executable, said Emsisoft security researcher Fabian Wosar who found the malware.

Attackers attach this .js file to spam email, disguising it to look like an Office document. Some users might download and execute this file.

The malicious JavaScript code contained in email attachment is obfuscated to deter security researchers from reverse-engineering its source.

On most computers, this code runs via the Windows Script Host (WSH), which executes its commands system-wide, giving the malicious script access to system utilities.

The JS file will also create a fake Word document and open it. The file contains random files to fool users into thinking it is a corrupted document.

The RAA payload includes the CryptoJS library. This JavaScript toolkit adds support for cryptographic functions in JavaScript. CryptoJS allows RAA to encrypt user files.

The same RAA payload also contains a base64-encoded version of the Pony infostealer. This malware family can collect browser passwords and other information from a PC. Pony is usually used for reconnaissance, so crooks get a better overview of the infected system. Often, Pony goes hand in hand with banking Trojans, but this behavior was not observed for RAA infections.

RAA only encrypts 16 file types and then displays its ransom note.

The ransomware asks for $250 in bitcoin as payment, claims to use AES-256 encryption, and asks users to contact the malware author via email to receive their decryption keys. According to Bleeping Computer, RAA is currently undecryptable, said Lawrence Abrams at Bleeping Computer in a blog post.