Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove RAA SEP Ransomware and Restore .locked Files

STF-raa-russian-ransomware-crypto-virus-ransom-note-message-instructions

A ransomware referring to itself as RAA and RAA SEP is running in the wild. What makes it unique is that it comes along with the Pony Infostealer Trojan and is written entirely in Javascript. The ransomware encrypts files with .locked extension. 250 US dollars is the sum asked for ransom payment. To see how to remove the ransomware and what to try for restoring your files, you should read this article carefully to the end.

Threat Summary

Name RAA SEP Ransomware
Type Ransomware
Short Description The ransomware is written entirely on JavaScript and is actually a .JS file. The virus will encrypt files putting the extension .locked to them and ask for a ransom of 250 US dollars.
Symptoms The ransomware will lock your files with .locked extension. !!!README!!!.rtf file created containing instructions for payment.
Distribution Method Spam Emails, Email Attachments, Suspicious Sites
Detection Tool See If Your System Has Been Affected by RAA SEP Ransomware

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss RAA SEP Ransomware.

RAA SEP Ransomware – Distribution Method

RAA SEP ransomware is in actuality a .JS file. That file can be distributed with spam emails. Such emails spread malware as attachments. The malicious code is most often found inside these attachments. However, only by opening emails like that, might get your PC infected because the body of the email may contain the malware code.

Social media networks and file-sharing websites are probably also used as mediums to deliver the unwanted crypto-virus. The infection spreads along with an information-stealing Trojan known for a long time as Pony Loader.

The best prevention tactic against such malware is to be extremely careful in what you click, download or open while using the Internet. Avoid suspicious files and links, especially if they have an unknown origin.

RAA SEP Ransomware – A Closer Look

RAA or also known as RAA SEP is ransomware that has these names in its code and refers to itself with those names. Not to mention that after the encryption process finishes, the following email is given for contact details – raa-consult1@keemail(.)me. The ransomware was found by two malware researchers who have the following twitter handles: @benkow_ and @JAMESWT_MHT.

The ransomware is written entirely in JavaScript. Some people say it’s JScript, but regardless of the name (the Sun Microsystems implementation or the Microsoft one), it is the same language. The Pony Loader infostealer might be spreading with that .JS file.

The RAA SEP ransomware creates the file !!!README!!!.rtf, after encryption. Inside that file you can find the ransom payment instructions. Here is how the file looks like:

STF-raa-russian-ransomware-crypto-virus-ransom-note-message-instructions

The file is in Russian, but a rough translation in English will look like the following:

***ATTENTION !***
Your files have been encrypted virus RAA.
For encryption was used algorithm AES-256 is used to protect information of state secrets.
This means that data can be restored only by purchasing a key from us.
Buying key – a simple deed.

All you need to:
1. Send your ID [random ID] to the postal address
raa-consult1@keemail(.)me.
2. Test decrypt few files in order to make sure that we do have the key.
3. Transfer 0.39 BTC ($ 250) to Bitcoin-address
15ADP9ErZTNgU8gBoJWFCujGbJXCRDzgTv.
For information on how to buy Bitcoin for rubles with any card –
//www.bestchange(.)ru/visa-mastercard-rur-to-bitcoin(.)html
4. Get the key and the program to decrypt the files.
5. Take measures to prevent similar situations in the future.

Importantly (1).
Do not attempt to pick up the key, it is useless, and can destroy your data permanently.

Importantly(2).
If the specified address (raa-consult1@keemail(.)me) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address – BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv).
More details about the program – //bitmessage(.)org/wiki/Main_Page

Importantly (3).
We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection.
README files located in the root of each drive.

The ransom price which is asked is 0.39 BitCoins, and although it is claimed that this is 250 US dollars, right now it is around 270 US Dollars. The paying instructions are written in Russian, so it is logical that mainly Rissian speaking countries will be infected. It is strongly unadvised to pay the ransom. Paying can only serve as motivation for the malware owners. Nothing can guarantee that you will get your files back after paying.

The RAA SEP ransomware uses an AES 256-bit algorithm for encryption. The file extensions that this ransomware searches to encrypt are:

→.doc, .docx, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .csv, .mdb, .png, .LCD, .zip, .rar

After the encryption process is complete, all files will bear the same extension – .locked. This extension has also been utilized by the Cryptolocker.AA ransomware and by the MM Locker ransomware.

  • Windows
  • RECYCLER
  • Recycle.Bin
  • APPDATA
  • TEMP
  • Microsoft
  • ProgramData
  • Program Files (x86)
  • Program Files

If the .JS file is uploaded on the VirusTotal website, you can see that some security programs are already detecting it:

STF-raa-russian-ransomware-crypto-virus-virus-total

RAA SEP ransomware is confirmed to also delete the Shadow Volume Copies from the Windows operating system.

Remove RAA SEP Ransomware and Restore .locked Encrypted Files

If your computer was infected by the RAA SEP ransomware, you should have some experience with removing malware. You should remove the ransomware as soon as you can as it may encrypt other files and further spread the network you are in currently. We recommend that you remove this ransomware and follow the step-by-step instructions written below.

Manually delete RAA SEP Ransomware from your computer

Note! Substantial notification about the RAA SEP Ransomware threat: Manual removal of RAA SEP Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove RAA SEP Ransomware files and objects.
2. Find malicious files created by RAA SEP Ransomware on your PC.
3. Fix registry entries created by RAA SEP Ransomware on your PC.

Automatically remove RAA SEP Ransomware by downloading an advanced anti-malware program

1. Remove RAA SEP Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by RAA SEP Ransomware in the future
3. Restore files encrypted by RAA SEP Ransomware
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.