RAA targets Windows OS and is distributed via emails containing JavaScript files disguised as document attachments. Opening the malicious file generates a phony Word document in the “My Documents” folder. Subsequently, RAA will identify all connected drives with open write permissions, scan them for specific files types, and proceed to encrypt them with AES using code from the CryptoJS library. Files encrypted by RAA display .locked as the extension. To prevent file restoration, it deletes Shadow Volume Copies as well as the Windows Volume Shadow Copy Service. RAA also installs Pony, a Trojan that decrypts and steals passwords, onto the infected system. RAA demands a ransom payment of 0.39 Bitcoin, or $250 USD.

UPDATE 9/12/2016: A new version of RAA arrives in a password-protected zip archive attachment, coded in JScript, and can perform encryption offline and without connecting to its C2 server. RAA #2 has been seen specifically targeting Russian-speaking corporate employees.

  • Bleeping Computer provides more information about RAA here.
  • The NJCCIC is not aware of any decryption tools available for RAA.
One example of the RAA variant. Image Source: PCrisk

One example of the RAA variant. Image Source: PCrisk

Ransomware VariantsNJCCICRAA