Unlike Ransom32, RAA is not delivered via an executable, but rather is a standard JS file.
RAA is distributed through emails as attachments that pretend to be doc files and have names like mgJaXnwanxlS_doc_.js.
When the file is executed, it will generate a fake word document in the %MyDocuments% folder. This word document will have a name similar to doc_attached_CnIj4 and will be automatically opened to make it look like the attachment was corrupted.
While the victim thinks the attachment is corrupted, in the background the RAA Ransomware will start to scan all the available drives and determine if the user has read and write access to them. If the drives can be written to, it will scan the drive for targeted file types and use code from the CryptoJS library to encrypt them using AES encryption.
When a file has been encrypted, it will append the .locked extension to the filename. This means that a file called test.jpg would be encrypted and renamed as test.jpg.locked. The file types targeted by this infection are:
.doc, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .mdb, .png, .lcd, .zip, .rar, .csv
When encrypting files, RAA will skip any files whose filenames contain .locked, ~, and $ or are in the following folders:
Program Files, Program Files (x86), Windows, Recycle.Bin, Recycler, AppData ,Temp, ProgramData, Microsoft
While the ransomware executes it will also delete the Windows Volume Shadow Copy Service (VSS) so that it cannot be used to recover files from the shadow volume copies.
Finally, the ransomware will create a ransom note on the desktop called !!!README!!![id].rtf, with [ID] being the unique ID assigned to the victim. The ransom note is in russian and translates to:
*** ATTENTION! *** Your files have been encrypted virus RAA. For encryption was used algorithm AES-256 is used to protect information of state secrets. This means that data can be restored only by purchasing a key from us. Buying key - a simple deed. All you need to: 1. Send your ID E993A9FD-C5D9-4128-AF38-71A54E1258DA to the postal address firstname.lastname@example.org. 2. Test decrypt few files in order to make sure that we do have the key. 3. Transfer 0.39 BTC ($ 250) to Bitcoin-address 15ADP9ErZTNgU8gBoJWFCujGbJXCRDzgTv. For information on how to buy Bitcoin for rubles with any card - https://www.bestchange.ru/visa-mastercard-rur-to-bitcoin.html 4. Get the key and the program to decrypt the files. 5. Take measures to prevent similar situations in the future. Importantly (1). Do not attempt to pick up the key, it is useless, and can destroy your data permanently. Importantly(2). If the specified address (email@example.com) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address - BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv). More details about the program - https://bitmessage.org/wiki/Main_Page Importantly (3). We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection. README files located in the root of each drive.
The JS file will then be set as an autorun so that it is executed everytime the victim logs into Windows. This would also allow it to encrypt any new documents that were created since the last login.
It also installs Pony on to the victim's computer. Instead of downloading and installing Pony from the Internet, the malware developers converted the Pony malware into a base64 encoded string that they embedded into the JS file.
When this function is executed, the data_pn file is converted encoded back to its original format and saved as %MyDocuments%\st.exe. Once saved, it will execute the Pony executable.
As the JS file is set as an autorun, Pony will be extracted and executed every time the user logs into the computer.