The ransomware, dubbed RAA by researchers, has been circulating through attachments masquerading as Word .doc files according to Lawrence Abrams, who wrote about the malware late Monday night on his site BleepingComputer.com.
Initially discovered by two security researchers, @JAMES_MHT and @benkow_, RAA encrypts files using code from CryptoJS, an open source library that’s easy to use and handles cipher algorithms like AES, DES, and so on. In this instance, RAA scans victims’ machines and encrypts select files with AES-256.
This is the first time researchers have observed attackers using CryptoJS in ransomware but it could be a sign of things to come, Abrams claims.
“JS-based attacks are definitely becoming more popular, but for the most part ransomware has still been compiled code,” Abrams told Threatpost Tuesday, “I think we are seeing a lot of JS-based installers lately simply because they are easier to write and debug,”
“Also, by obfuscating them, it makes it harder for them to be analyzed by AV scanners. For example, as of today this JS file only has a 6/44 detection rating,” Abrams added, pointing out the file’s rating on VirusTotal.
Like a lot of strains of ransomware as of late, RAA appends “.locked” to the end of filenames. While the ransomware spares certain Program files, Windows files, AppData and Microsoft files, it targets images, along with Word, Excel, and Photoshop files, in addition to storage formats like zip and .rar files.
@JAMESWT_MHT @enom @Hetzner_Online @malwrhunterteam @jedisct1 @_operations6_ @Antelox Pony+ ransom pic.twitter.com/Xxqcj82yrt
— Benkow moʞuƎq (@benkow_) June 13, 2016
The ransom note RAA leaves on desktops instructs the victims to send 0.39 Bitcoin, or $250, a specific Bitcoin address. Only after that’s been done can victims acquire a key and decrypt their files, the note stipulates.
It’s unclear how successful RAA will be in the near future. According to Abrams it appears about 65 victims were tricked into opening the JS file over the last few days but the command and control server associated with the ransomware has since been shut down.
Earlier this year Fabian Wosar, a researcher with Emisoft, discovered a similar type of ransomware that was created with Node.js and packaged into an executable but this is the first time that ransomware has been seen being delivered solely by a standard JS file.