The Pony payload comes as an “extra” that could steal sensitive data.

JavaScript has long been exploited by hackers to help distribute their malware infections. None of them, however, has tried to fully employ it on a ransomware. Well, at least until now. It looks like security experts have recently discovered the pioneer – RAA Ransomware. This is the first cryptovirus entirely based on JavaScript. As any other Ransomware, of course, its main goal is to encrypt data and require a ransom for the decryption key. However, it comes with a Pony info-stealer Trojan as an “extra” that could do quite a mess on the victim’s system.

 

Actually, hackers have been working on integrating JS in this new form of online blackmail for quite a time now. The first attempts to employ JS on ransomware were detected earlier this year when security experts discovered Ransom32. However, this cryptovirus was only coded in Node.js, which hackers distributed as an executable. RAA, on the other hand, uses exclusively JavaScript and is delivered entirely as a .js file. The distribution mechanism is similar to that of many other well-known malware families. In order to infect more computers, the malicious actors would attach this new threat to a spam email. It is usually camouflaged as an Office document and users may easily get tricked into downloading and opening it. Of course, this interaction would be enough to execute the malware and start the encryption process.

RAA Ransomware Removal

The malicious script runs through Windows Script Host (WSH), thus gaining access to various system utilities. Another bad thing about this ransomware is that RAA comes with a payload called CryptoJS library. This JavaScript toolkit adds extra support for the cryptographic functions and allows it to encrypt the victims’ files. The same malicious payload is also able to download and install an info-stealer known as Pony. 

Pony comes from a malware family that can collect sensitive data and credentials such as passwords, login details as well as other information from an infected PC. It is effectively used by hackers to spy on compromised machines.

How to Decrypt Ransomware

Unlike other ransomware, RAA encrypts only 16 file types with the “.locked” file extension. The ransom note appears in Russian, asking for about $ 250 payable in Bitcoins. RAA claims to be using AES-256 encryption and asks the victims to contact the malicious actors via email in order to receive their decryption key.  To ensure that there is no way to restore the files, RAA deletes Windows Volume Shadow Copy Service (VSS) files, thus pressuring the victims into paying the ransom. Also, it threatens to delete the decryption key if the payment is not transferred within a week.

At the moment, it appears that the RAA ransomware is targeting only Russian-speaking users, having in mind that the ransom note is in Russian. However, it may not take long for the hackers to decide to spread this threat internationally. There is a real chance that RAA could start infecting users in more locations, bringing the Pony info-stealer along. Therefore, taking preventive measures even now is a good idea.