RAA Ransomware Coded in JavaScript

A New RAA Ransomware Coded in JavaScript

Ransomware known as RAA encrypts files, demands a ransom of US $250, and installs a password-stealing application on infected computers. RAA is written entirely in JavaScript, which could increase the likelihood of infection as JavaScript documents do not always trigger security alerts or require administrator access to run on Windows machines.

RAA is distributed mostly by email using an attached Javascript (.JS) file. When a victim double-clicks on this JS file, Windows will execute the default program associated with javascript files. By default, this is the Windows Script Host or wscript.exe.

When the file is executed, it will generate a fake word document in the %MyDocuments% folder. This word document will have a name similar to doc_attached_CnIj4 and will be automatically opened to make it look like the attachment was corrupted.

When files are encrypted they will append with the .locked extension to the filename. That means if a file is called test.jpg it will be encrypted and renamed as test.jpg.locked. The file types targeted by this infection are:

.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, 
.zip, .rar, .csv

If you wish to disable the windows script host, which is enabled by default in Windows,you can add the following DWORD Registry entry to your computer and set the value to 0.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled