[READ: New Crypto-ransomware Locky uses malicious Word macros]
The ransomware was initially discovered by two security researchers, @JAMES_MHT and @benkow_. According to them, RAA ransomware encrypts files using a code from an open source library that’s fairly easy to use. The open source library called CryptoJS handles cipher algorithms likes AES, DES, etc. For example, RAA scans the victim’s machine and encrypts select files with AES-256. Similar to other strains of ransomware, RAA appends ‘.locked’ to the end of filenames. It targets images, Word, Excel, and Photoshop, storage formats such as zip and .rar files, sparing Program files, Windows files, AppData, and Microsoft files.
“At this point, there is no way to decrypt the files for free,” Lawrence Abrams, founder of Bleeping Computer, said in his blog post. Meanwhile, users are advised to avoid opening attachments with the filenames mentioned above, even if they’re enclosed in a .zip archive.
Update: June 21, 2016
It is believed that the attackers behind the RAA ransomware are using the JScript scripting language to make detection more difficult and to make obfuscation easier. Most malware are written in compiled programming languages with ransomware often disguised as executables. Hence, using a language that is not typically used to deliver malware, such as scripting languages, could be less prone to detection. It also lends more time to cybercriminals to maximize their profit while the ransomware remains undetected.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.