Remove RAA SEP Ransomware and Restore .locked Files - How to, Technology and PC Security Forum |

Remove RAA SEP Ransomware and Restore .locked Files


A ransomware referring to itself as RAA and RAA SEP is running in the wild. What makes it unique is that it comes along with the Pony Infostealer Trojan and is written entirely in Javascript. The ransomware encrypts files with .locked extension. 250 US dollars is the sum asked for ransom payment. To see how to remove the ransomware and what to try for restoring your files, you should read this article carefully to the end.

Threat Summary

NameRAA SEP Ransomware
Short DescriptionThe ransomware is written entirely on JavaScript and is actually a .JS file. The virus will encrypt files putting the extension .locked to them and ask for a ransom of 250 US dollars.
SymptomsThe ransomware will lock your files with .locked extension. !!!README!!!.rtf file created containing instructions for payment.
Distribution MethodSpam Emails, Email Attachments, Suspicious Sites
Detection Tool See If Your System Has Been Affected by RAA SEP Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RAA SEP Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

RAA SEP Ransomware – Distribution Method

RAA SEP ransomware is in actuality a .JS file. That file can be distributed with spam emails. Such emails spread malware as attachments. The malicious code is most often found inside these attachments. However, only by opening emails like that, might get your PC infected because the body of the email may contain the malware code.

Social media networks and file-sharing websites are probably also used as mediums to deliver the unwanted crypto-virus. The infection spreads along with an information-stealing Trojan known for a long time as Pony Loader.

The best prevention tactic against such malware is to be extremely careful in what you click, download or open while using the Internet. Avoid suspicious files and links, especially if they have an unknown origin.

RAA SEP Ransomware – A Closer Look

RAA or also known as RAA SEP is ransomware that has these names in its code and refers to itself with those names. Not to mention that after the encryption process finishes, the following email is given for contact details – raa-consult1@keemail(.)me. The ransomware was found by two malware researchers who have the following twitter handles: @benkow_ and @JAMESWT_MHT.

The ransomware is written entirely in JavaScript. Some people say it’s JScript, but regardless of the name (the Sun Microsystems implementation or the Microsoft one), it is the same language. The Pony Loader infostealer might be spreading with that .JS file.

The RAA SEP ransomware creates the file !!!README!!!.rtf, after encryption. Inside that file you can find the ransom payment instructions. Here is how the file looks like:


The file is in Russian, but a rough translation in English will look like the following:

Your files have been encrypted virus RAA.
For encryption was used algorithm AES-256 is used to protect information of state secrets.
This means that data can be restored only by purchasing a key from us.
Buying key – a simple deed.

All you need to:
1. Send your ID [random ID] to the postal address
2. Test decrypt few files in order to make sure that we do have the key.
3. Transfer 0.39 BTC ($ 250) to Bitcoin-address
For information on how to buy Bitcoin for rubles with any card –
4. Get the key and the program to decrypt the files.
5. Take measures to prevent similar situations in the future.

Importantly (1).
Do not attempt to pick up the key, it is useless, and can destroy your data permanently.

If the specified address (raa-consult1@keemail(.)me) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address – BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv).
More details about the program – //bitmessage(.)org/wiki/Main_Page

Importantly (3).
We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection.
README files located in the root of each drive.

The ransom price which is asked is 0.39 BitCoins, and although it is claimed that this is 250 US dollars, right now it is around 270 US Dollars. The paying instructions are written in Russian, so it is logical that mainly Rissian speaking countries will be infected. It is strongly unadvised to pay the ransom. Paying can only serve as motivation for the malware owners. Nothing can guarantee that you will get your files back after paying.

The RAA SEP ransomware uses an AES 256-bit algorithm for encryption. The file extensions that this ransomware searches to encrypt are:

→.doc, .docx, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .csv, .mdb, .png, .LCD, .zip, .rar

After the encryption process is complete, all files will bear the same extension – .locked. This extension has also been utilized by the Cryptolocker.AA ransomware and by the MM Locker ransomware.

  • Windows
  • Recycle.Bin
  • TEMP
  • Microsoft
  • ProgramData
  • Program Files (x86)
  • Program Files

If the .JS file is uploaded on the VirusTotal website, you can see that some security programs are already detecting it:


RAA SEP ransomware is confirmed to also delete the Shadow Volume Copies from the Windows operating system.

Remove RAA SEP Ransomware and Restore .locked Encrypted Files

If your computer was infected by the RAA SEP ransomware, you should have some experience with removing malware. You should remove the ransomware as soon as you can as it may encrypt other files and further spread the network you are in currently. We recommend that you remove this ransomware and follow the step-by-step instructions written below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share