New ransomware RAA written in JavaScript


Ransomware nicknamed RAA has been discovered. However, the most amazing thing about it is this particular malware has been coded in JavaScript, rather than the traditional programming languages, which makes it more useful in some scenarios.

The security researchers who found RAA state that it is being spread by email through attachments disguised as common document files. The ransomware creators use the CryptoJS library, which then enables AES encryption to be used to lock up the unsuspecting victim’s files.

When the victim opens the document attachment, the ransomware runs through a number of steps that starts with the victim’s files being locked, but also downloads additional malware onto the computer. It appears as a corrupted file to the victim, but is running in the background deleting and locking files including Windows Volume Shadow Copy. This results in encrypted files being unrecoverable and also means that RAA will run on every Windows start up allowing it to capture new information.

In an email correspondence with, Kevin Epstein, the vice president of threat operations centre at Proofpoint, wrote: “As we've previously discussed in our blog, JavaScript can provide an advantage for attackers in various ways over compiled .exe files, but we've seen ransomware written in everything from C++ to straight .bat files; detection needs to be based on dynamic as well as static file examination methods.

“JavaScript is heavily used on the web and so it's a little bit unusual to see an actual piece of ransomware powered by a scripting language. Having said that, we witness many different infection vectors that were once considered old school (like macros) or unsophisticated making a comeback.”

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *