News & Blog

RAA...! A New and Unique Ransomware Threat

By Francis West on 23rd June 2016

Internet security researchers have discovered a new version of the malware known as ransomware. Dubbed ‘RAA’ this latest malicious program is unique because it is written in the web-based language Javascript. This could make it more likely to be activated and therefore to claim more victims.

Why Is It So Dangerous?

Whereas an operating system will typically block executable programs like .exe, Windows computers allow Javascript .js files to run. Javascript documents that are sent via email therefore won’t always trigger a security warning on Windows or require administrator access to run.

The fact that RAA is written completely in Javascript means that it has a much better chance of getting through basic email security on Windows machines. There is a real concern therefore that by opening a simple email containing RAA as an attachment a Windows computer could use the Windows Based Script Host to run its code and therefore simply install the ransomware.

Outlook is likely to automatically block Javascript .js files although some reports indicate that Gmail may not currently block .js files in email attachments and therefore could be a potential way for RAA to be spread.

A New Trend

Earlier this year Microsoft had reported seeing an increase in Javascript malware email attachments. This announcement proved to be very timely as it was followed by the spread of the ‘Locky’ ransomware program in May which used JavaScript-based attachments for its distribution.

What Happens When a RAA Email Is Opened?

When an email containing the RAA ransomware is opened, the program encrypts important files on the victim’s computer so that the person is essentially locked out of those files. RAA then displays the ransom message (reported to be in Russian in this case) which demands that the victim pays $250 to reverse the encryption and release the files.

As well as locking the files and posting a ransom demand, RAA also extracts embedded password stealing malware called 'Pony' from the .js file and installs it onto the affected computer.

What Does This Mean For Your Business?

Clearly businesses need to raise awareness among staff that they all need to be very careful about opening emails with attachments and / or emails from sources that are not familiar.

Keeping computer updates, patches, and anti virus software up to date is also very important.

Having a reliable, secure back up of your important files and folders is also advisable if not essential in today’s business environment. It is also possible to instruct Windows not to start the Windows Based Script Host when a .js file is double-clicked, thus potentially stopping the RAA file from installing.

If your computer is infected by RAA be aware that there is currently no way to reverse the RAA encryption without paying the ransom, although paying the ransom in these cases is not advisable.