RAA Ransomware

The RAA ransomware was distributed via email and infected windows machines, encrypting files and demanding a ~$250 payment to decrypt. Regardless of payment it also installed the password stealing software Pony. It used the open source CryptoJS library to encrypt data, as windows JavaScript environments do not expose crypto functions.

References permalink

Payload permalink

Too large to display inline with syntax highlighting. View the payload here: raa-ransomware.js.