Quote

Demands $250, steals passwords for good measure

 

New ransomware written entirely in JavaScript has appeared encrypting users files for a US$250 (£172, A$336) ransom and installing a password-stealing application.

Researchers @jameswt_mht and @benkow_ found the ransomware they dubbed RAA.

Bleeping Computer malware man Lawrence Abrams described the ransomware noting it is shipped as a JS file and uses the CryptoJS library for AES encryption.

“RAA is currently being distributed via emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js,” Abrams says.

“When the JS file is opened it will encrypt the computer and then demand a ransom of about US$250 USD to get the files back.

“To make matters worse, it will also extract the embedded password stealing malware called Pony from the JS file and install it onto the onto the victim’s computer.”

The ransomware launches a word document that appears to be corrupted, and serves to distract users while the malware encrypts files.

Microsoft in April warned of a spike in malicious JavaScript email attachments shortly before virus writers behind Locky sent their ransomware in that format.

Trend Micro researchers say Locky and RAA use JavaScript files also as malware downloaders which obtain and install a malware.

“The RAA ransomware is considered unique because it’s rare to see client-side malware written in web-based languages like JavaScript, which are primarily designed to be interpreted by browsers,” they say . “… users are advised to avoid opening attachments with the filenames mentioned above, even if they’re enclosed in a .zip archive.”

No means yet exist for free decryption.

Rule of thumb, do not open attachments unless you are absolutely sure the sender is valid and actually sending you something for which you asked.

We receive many emails with malware attachments from ***known*** users because they are irresponsible and do not secure their passwords or systems with strong passwords and anti-malware software. So even if you recognize the sender, do not assume it is safe.