About RAA extortionist

Written by William Reddy

Unlike Ransom32, RAA does not use for its work framework NW.js. This framework enables the development of JavaScript applications for Windows, OS X, and Linux. To use the encryption features RAA¬†uses cryptographic library CryptoJS. It is used to encrypt the user’s files. Installed in Pony user password stealer system AV products detected by ESET as Win32/PSW.Fareit.A.

The malware usually spreads by using malicious attachments in email messages. This investment is disguised as a Word document (.doc). To disguise its malicious functions, the malware resets the directory %userprofile% \ documents a special file and tries to open it using WordPad.

To ensure its survival in the system after the reboot, the extortionist is prescribed in the section Run-known registry. The value of the parameter specifies the path to the original dropper.

Ransomware also removes the Volume Shadow Copy Service (VSS). This operation is performed to ensure the impossibility of restoring the original copies of user files after encryption (Setup File History). As a result, when you attempt to restore a file to a previous version, the operation fails, as when you try to access System Restore.

Ransomware encrypts files with the following extensions “.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar .csv.”¬†Files that contain the characters “.locked” title, “~” or “$” skipped.

The files contained in these directories are excluded from the encryption process, Program Files, Program Files (x86), Windows, Recycle.Bin, Recycler, AppData, Temp, ProgramData, and Microsoft.

Notice of redemption is stored in a special file !!! README !!! , which is created on the desktop. The user demands a ransom of 0.32 Bitcoins or $250. The contents of the file are shown below.

Samples of malware have the following SHA1 ID:
RAA: 2c0b5637701c83b7b2aeabdf3120a89db1dbaad7

Unfortunately, the transcript of a user that has encrypted files RAA now seems possible that, once again, talks about the importance of using timely data backup.

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment