RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js. When the JS file is opened it will encrypt the computer and then demand a ransom of ~$250 USD to get the files back. To make matters worse, it will also extract the embedded password stealing malware called Pony from the JS file and install it onto the onto the victim's computer. More information about the embedded Pony malware can be found here.
For those who need support with this ransomware, we have a dedicated forum topic here: RAA-SEP (.locked) Ransomware Help & Support Topic - !!!README!!!
When the file is executed, it will generate a fake word document in the %MyDocuments% folder. This word document will have a name similar to doc_attached_CnIj4 and will be automatically opened to make it look like the attachment was corrupted.
While the victim thinks the attachment is corrupted, in the background the RAA Ransomware will start to scan all the available drives and determine if the user has read and write access to them. If the drives can be written to, it will scan the drive for targeted file types and use code from the CryptoJS library to encrypt them using AES encryption.
When a file has been encrypted, it will append the .locked extension to the filename. This means that a file called test.jpg would be encrypted and renamed as test.jpg.locked. The file types targeted by this infection are:
.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv
When encrypting files, RAA will skip any files whose filenames contain .locked, ~, and $ or are in the following folders:
Program Files, Program Files (x86), Windows, Recycle.Bin, Recycler, AppData ,Temp, ProgramData, Microsoft
While the ransomware executes it will also delete the Windows Volume Shadow Copy Service (VSS) so that it cannot be used to recover files from the shadow volume copies. As there are two obfuscated functions that deal with the VSS service, it is unclear if they delete the shadow copies before deleting the service. As we further deobfuscate the source code, we will update this article.
Finally, the ransomware will create a ransom note on the desktop called !!!README!!![id].rtf, with [ID] being the unique ID assigned to the victim. The text of this ransom note is in Russian and you can see its contents below.
BleepingComputer member Amigo-A has translated the Russian ransom note to English below:
*** ATTENTION! *** Your files have been encrypted virus RAA. For encryption was used algorithm AES-256 is used to protect information of state secrets. This means that data can be restored only by purchasing a key from us. Buying key - a simple deed. All you need to: 1. Send your ID E993A9FD-C5D9-4128-AF38-71A54E1258DA to the postal address firstname.lastname@example.org. 2. Test decrypt few files in order to make sure that we do have the key. 3. Transfer 0.39 BTC ($ 250) to Bitcoin-address 15ADP9ErZTNgU8gBoJWFCujGbJXCRDzgTv. For information on how to buy Bitcoin for rubles with any card - https://www.bestchange.ru/visa-mastercard-rur-to-bitcoin.html 4. Get the key and the program to decrypt the files. 5. Take measures to prevent similar situations in the future. Importantly (1). Do not attempt to pick up the key, it is useless, and can destroy your data permanently. Importantly(2). If the specified address (email@example.com) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address - BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv). More details about the program - https://bitmessage.org/wiki/Main_Page Importantly (3). We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection. README files located in the root of each drive.
The JS file will then be set as an autorun so that it is executed everytime the victim logs into Windows. This would also allow it to encrypt any new documents that were created since the last login.
At this point there is no way to decrypt the files for free. If anything is discovered in the future, this article will be updated.
If it wasn't bad enough for a victim to have their files encrypted, the RAA ransomware also installs the Pony password-stealing Trojan on to the victim's computer. Instead of downloading and installing Pony from the Internet, the malware developers converted the Pony malware into a base64 encoded string that they embedded into the JS file.
You can see a portion of the encoded file as the variable data_pn in the obfuscated code snippet below.
Below is the same function, but now deobfuscated so that you can see exactly what is going on. When this function is executed, the data_pn file is converted encoded back to its original format and saved as %MyDocuments%\st.exe. Once saved, it will execute the Pony executable.
As the JS file is set as an autorun, Pony will be extracted and executed every time the user logs into the computer.
If you wish to disable the windows script host, which is enabled by default in Windows, you can add the following DWORD Registry entry to your computer and set the value to 0.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
Now that the Windows Script Host is disabled, any time someone on that computer tries to execute a JS file outside of the browser it will not allow it and display the following alert.
%Desktop%\!!!README!!![id].rtf %MyDocuments%\doc_attached_[random_chars] %MyDocuments%\st.exe
HKCU\RAA\Raa-fnl HKCU\Software\Microsoft\Windows\CurrentVersion\Run @ = "[path_to_JS_file]"