RAA Ransomware Composed Entirely of JavaScript

Researchers this week claim they’ve noticed a new strain of ransomware unlike any they’ve seen prior – a type composed entirely of JavaScript.

We’ve already seen ransomware take on many forms this year, but researchers this week claim they’ve noticed a new strain unlike any they’ve seen prior–a type composed entirely of JavaScript.

The ransomware, dubbed RAA by researchers, has been circulating through attachments masquerading as Word .doc files according to Lawrence Abrams, who wrote about the malware late Monday night on his site BleepingComputer.com.

Initially discovered by two security researchers, @JAMES_MHT and @benkow_, RAA encrypts files using code from CryptoJS, an open source library that’s easy to use and handles cipher algorithms like AES, DES, and so on. In this instance, RAA scans victims’ machines and encrypts select files with AES-256.

As soon as someone opens the file, the ransomware encrypts files on the victim’s machine, and asks for a ransom, roughly $250 USD. If that wasn’t enough the ransomware also installs a version of Pony, the well-known password stealer, which is embedded in the JavaScript file as an encoded string on the same machine.

This is the first time researchers have observed attackers using CryptoJS in ransomware but it could be a sign of things to come, Abrams claims.

“JS-based attacks are definitely becoming more popular, but for the most part ransomware has still been compiled code,” Abrams told Threatpost Tuesday, “I think we are seeing a lot of JS-based installers lately simply because they are easier to write and debug,”

“Also, by obfuscating them, it makes it harder for them to be analyzed by AV scanners. For example, as of today this JS file only has a 6/44 detection rating,” Abrams added, pointing out the file’s rating on VirusTotal.

Like a lot of strains of ransomware as of late, RAA appends “.locked” to the end of filenames. While the ransomware spares certain Program files, Windows files, AppData and Microsoft files, it targets images, along with Word, Excel, and Photoshop files, in addition to storage formats like zip and .rar files.


The ransom note RAA leaves on desktops instructs the victims to send 0.39 Bitcoin, or $250, a specific Bitcoin address. Only after that’s been done can victims acquire a key and decrypt their files, the note stipulates.

It’s unclear how successful RAA will be in the near future. According to Abrams it appears about 65 victims were tricked into opening the JS file over the last few days but the command and control server associated with the ransomware has since been shut down.

Earlier this year Fabian Wosar, a researcher with Emisoft, discovered a similar type of ransomware that was created with Node.js and packaged into an executable but this is the first time that ransomware has been seen being delivered solely by a standard JS file.

Suggested articles