RAA Ransomware Coded in JavaScript
RAA Ransomware Coded in JavaScript
A New RAA Ransomware Coded in JavaScript
RAA is distributed mostly by email using an attached Javascript (.JS) file. When a victim double-clicks on this JS file, Windows will execute the default program associated with javascript files. By default, this is the Windows Script Host or wscript.exe.
When the file is executed, it will generate a fake word document in the %MyDocuments% folder. This word document will have a name similar to doc_attached_CnIj4 and will be automatically opened to make it look like the attachment was corrupted.
When files are encrypted they will append with the .locked extension to the filename. That means if a file is called test.jpg it will be encrypted and renamed as test.jpg.locked. The file types targeted by this infection are:
.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv
If you wish to disable the windows script host, which is enabled by default in Windows,you can add the following DWORD Registry entry to your computer and set the value to 0.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled