The Pony payload comes as an “extra” that could steal sensitive data.
Pony comes from a malware family that can collect sensitive data and credentials such as passwords, login details as well as other information from an infected PC. It is effectively used by hackers to spy on compromised machines.
Unlike other ransomware, RAA encrypts only 16 file types with the “.locked” file extension. The ransom note appears in Russian, asking for about $ 250 payable in Bitcoins. RAA claims to be using AES-256 encryption and asks the victims to contact the malicious actors via email in order to receive their decryption key. To ensure that there is no way to restore the files, RAA deletes Windows Volume Shadow Copy Service (VSS) files, thus pressuring the victims into paying the ransom. Also, it threatens to delete the decryption key if the payment is not transferred within a week.
At the moment, it appears that the RAA ransomware is targeting only Russian-speaking users, having in mind that the ransom note is in Russian. However, it may not take long for the hackers to decide to spread this threat internationally. There is a real chance that RAA could start infecting users in more locations, bringing the Pony info-stealer along. Therefore, taking preventive measures even now is a good idea.