New RAA ransomware written in JavaScript discovered

A new variety of ransomware called RAA has been discovered that has the somewhat unusual attribution of being coded in JavaScript instead of one of the more standard programming languages making it more effective in certain situations.

RAA is being distributed by email through attachments that pretend to be a regular document file.
RAA is being distributed by email through attachments that pretend to be a regular document file.

A new variety of ransomware called RAA has been discovered that has the somewhat unusual attribution of being coded in JavaScript instead of one of the more standard programming languages making it more effective in certain situations.

Bleeping Computer reported that security researchers @JAMES_MHT and @benkow_ found RAA and said it is being distributed by email through attachments that pretend to be a regular document file. Since JavaScript does not by itself feature any default cryptography functions the ransomware creators use the CryptoJS library which enabled AES encryption to be used to lock up the victims' files.

Using JavaScript as a ransomware delivery vehicle is not exactly new, but it is not a method seen every day, said Malwarebytes Senior Researcher Jerome Segura.

Kevin Epstein, vice president of threat operations center at Proofpoint, told SCMagazine.com in an email, “As we've previously discussed in our blog, JavaScript can provide an advantage for attackers in various ways over compiled .exe files -- but we've seen ransomware written in everything from C++ to straight .bat files; detection needs to be based on dynamic as well as static file examination methods."

Opening the attachment kicks off a series of steps that not only locks up the victim's files, but also downloads some additional malware onto the target computer. The attachment does not visibly do anything, but appears to the victim as a corrupted file. However, in fact it is busy doing its dirty work in the background. This includes deleting the Windows Volume Shadow Copy so the encrypted files cannot be recovered and the ransomware is set to run every time Windows starts up so it can capture any new information.

“JavaScript is heavily used on the web and so it's a little bit unusual to see an actual piece of ransomware powered by a scripting language. Having said that, we witness many different infection vectors that were once considered old school (like macros) or unsophisticated making a comeback, he told SCMagazine.com.

Bleeping Computer said at this time there is no way to decrypt the files, although there are steps to be taken that can thwart the attack.

“I guess it shows that there is a multitude of ways to load ransomware and defenders need to stay vigilant. In this particular case, disabling email attachments that contain a JavaScript file would be a good way of thwarting those attacks since there really is no legitimate purpose in sending those files by email in a normal context,” Segura said.

The additional malware installed is the password stealing Pony trojan.