Security researchers have uncovered an entirely JavaScript based ransomware variant that is not only being used to lock infected devices with AES encryption, but also to deliver the Pony info-stealer. Pony is used to obtain users’ passwords and login credentials to launch further attacks. This means that while a ransom may have to be paid to regain access to important files, the victim is also highly likely to suffer further losses.

JavaScript based malware is nothing new. Criminals have been using JavaScript files to infect devices with ransomware for some time, yet previously JavaScript has most commonly been used to download ransomware to infected devices. The latest threat exclusively uses JavaScript and requires no additional downloads.

RAA Ransomware Delivered via Spam Email

The attack starts with a spam email containing a malicious attachment. The attached file appears to be a document, but it is actually a malicious JavaScript file. Opening the file will result in a fake Word document being created in the user’s My Documents folder. That file is then opened automatically leading the victim to believe that the file attachment is corrupted. However, processes will still be running in the background. The malicious JavaScript file – dubbed RAA ransomware – does not contain any cryptographic functions, instead it uses the CryptoJS library to lock files with AES encryption.

First, all drives – local, network, and portable – are scanned for specific file extensions, including documents and spreadsheets (DOC, RTF, XLS, CSV, PDF), compressed files (ZIP, RAR), image files (JPG, PSD, PNG, DWG, CDR, CD), database files (DBF, MDF), and LCD disk images.

Once the targeted files are identified, the JavaScript based ransomware then encrypts those files using AES encryption and replaces the extension with “.locked.” To make it harder for the victims to recover from the infection without paying the ransom, RAA ransomware also deletes the Windows Volume Shadow Copy Service (VSS) as well as all shadow copies. Finally, files are created on the Desktop which detail how much must be paid to obtain the decryption keys and instructions on how payment must be made.

JavaScript Based Ransomware Delivers the Pony Info Stealer

This JavaScript based ransomware also includes the pony info stealer. In contrast to other malware which can download additional malicious files from the Internet, RAA ransomware has the Pony info-stealer embedded as a base64 encoded string. The string is decoded and also saved to the My Documents folder and is then run automatically.

The RAA ransomware is set to run automatically each time the computer is booted, and it will install Pony each time. Since the ransomware runs on boot it will encrypt any of the above file extensions that have been created or downloaded since the last time the ransomware was executed. At present, there is no way of decrypting the files without paying the ransom.

To protect against attacks, end users must be vigilant and not open any files attachments sent from unknown individuals. Sys admins must also ensure that all files are regularly backed up and back up devices are air-gapped.