Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RAA-SEP (.locked) Ransomware Help & Support Topic - !!!README!!!<ID>.rtf


  • Please log in to reply
6 replies to this topic

#1 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:22 PM

Posted 13 June 2016 - 09:32 AM

A new ransomware has been discovered to be spread via malicious email attachments, calling itself RAA (with references to "RAA-SEP" in the code). Credit to @JAMES_MHT and @benkow_ for helping discover this.

 

The victim's files are encrypted using AES, and have the extension ".locked" appended. The following message is displayed to the victim with the filename "!!!README!!!<ID>.rtf", asking the victim to contact the email address raa-consult1@keemail.me.

 

Ck0mD5LWUAAcYiR.jpg

 

The following extensions are targeted.

 

 

.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv

 

If a path contains any of the following strings, it will be skipped.

 

 

Windows, RECYCLER, Program Files, Program Files (x86), Recycle.Bin, APPDATA, TEMP, ProgramData, Microsoft

 

Shadow Copies are confirmed to be deleted.

 

Analysis is still on-going with this variant. One interesting note is that the entire ransomware routine is written purely in JavaScript. It is also packaged with a malware known as Pony, which is known for stealing passwords from a victim's computer.

 

If you or someone you know has been affected by this ransomware, please post here and stay tuned for any possible developments.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:22 AM

Posted 13 June 2016 - 10:57 AM

Again in Russian language. 

 

This HTML or JPEG files?


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:22 AM

Posted 13 June 2016 - 11:09 AM

My English translation. The original style of writing is saved.
 
*** ATTENTION! ***
Your files have been encrypted virus RAA.
For encryption was used algorithm AES-256, which used to protect information of state secrets.
This means that data can be restored only by purchasing a key from us.
Buying key - a simple deed.
All you need to:
1. Send your ID E993A9FD-C5D9-4128-AF38-71A54E1258DA to the postal address
raa-consult1@keemail.me.
2. Test decrypt few files in order to make sure that we do have the key.
3. Transfer 0.39 BTC ($ 250) to Bitcoin-address
15ADP9ErZTNgU8gBoJWFCujGbJXCRDzgTv.
For information on how to buy Bitcoin for rubles with any card -
4. Get the key and the program to decrypt the files.
5. Take measures to prevent similar situations in the future.
Importantly (1).
Do not attempt to pick up the key, it is useless, and can destroy your data permanently.
Importantly(2).
If the specified address (raa-consult1@keemail.me) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address - BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv).
More details about the program - https://bitmessage.org/wiki/Main_Page
Importantly (3).
We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection.
README files located in the root of each drive.

Edited by Amigo-A, 14 June 2016 - 03:42 AM.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#4 jostya

jostya

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 17 June 2016 - 02:11 AM

If you or someone you know has been affected by this ransomware, please post here and stay tuned for any possible developments.

I have a problem.
Now there is a cure for the encrypted files?

у меня такая проблема. 

сейчас есть лечение для зашифрованных файлов?



#5 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:22 PM

Posted 17 June 2016 - 08:55 AM

@jostya
Afraid there is currently no way to decrypt RAA at this time. It's advised to backup your data and hope for the future.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 jostya

jostya

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:22 AM

Posted 17 June 2016 - 08:59 AM

As I understand it: the virus encrypts files and deletes the original?
It remains only one thing - restores deleted files ...
 
Как я понимаю: вирус шифрует файл, а оригинал удаляет?
Остаётся только одно - восстанавливать удалённые файлы...

Edited by jostya, 17 June 2016 - 08:59 AM.


#7 Demonslay335

Demonslay335

    Ransomware Hunter

  • Topic Starter

  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:22 PM

Posted 17 June 2016 - 09:10 AM

You can certainly try using tools such as Recuva, ShadowExplorer, and PhotoRec. Ransomware typically delete shadow copies and overwrite or delete the original file, but sometimes you may get lucky and recover a handful of files if it failed to do so properly. No guarantees, but it is always worth a try since they are free tools.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users