|Name||RAA SEP Ransomware|
|Symptoms||The ransomware will lock your files with .locked extension. !!!README!!!.rtf file created containing instructions for payment.|
|Distribution Method||Spam Emails, Email Attachments, Suspicious Sites|
|Detection Tool|| See If Your System Has Been Affected by RAA SEP Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss RAA SEP Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
RAA SEP Ransomware – Distribution Method
RAA SEP ransomware is in actuality a .JS file. That file can be distributed with spam emails. Such emails spread malware as attachments. The malicious code is most often found inside these attachments. However, only by opening emails like that, might get your PC infected because the body of the email may contain the malware code.
Social media networks and file-sharing websites are probably also used as mediums to deliver the unwanted crypto-virus. The infection spreads along with an information-stealing Trojan known for a long time as Pony Loader.
The best prevention tactic against such malware is to be extremely careful in what you click, download or open while using the Internet. Avoid suspicious files and links, especially if they have an unknown origin.
RAA SEP Ransomware – A Closer Look
RAA or also known as RAA SEP is ransomware that has these names in its code and refers to itself with those names. Not to mention that after the encryption process finishes, the following email is given for contact details – raa-consult1@keemail(.)me. The ransomware was found by two malware researchers who have the following twitter handles: @benkow_ and @JAMESWT_MHT.
The RAA SEP ransomware creates the file !!!README!!!.rtf, after encryption. Inside that file you can find the ransom payment instructions. Here is how the file looks like:
The file is in Russian, but a rough translation in English will look like the following:
Your files have been encrypted virus RAA.
For encryption was used algorithm AES-256 is used to protect information of state secrets.
This means that data can be restored only by purchasing a key from us.
Buying key – a simple deed.
All you need to:
1. Send your ID [random ID] to the postal address
2. Test decrypt few files in order to make sure that we do have the key.
3. Transfer 0.39 BTC ($ 250) to Bitcoin-address
For information on how to buy Bitcoin for rubles with any card –
4. Get the key and the program to decrypt the files.
5. Take measures to prevent similar situations in the future.
Do not attempt to pick up the key, it is useless, and can destroy your data permanently.
If the specified address (raa-consult1@keemail(.)me) you have not received a reply within 3 hours, you can use the service for communication Bitmessage (our address – BM-2cVCd439eH5kTS9PzG4NxGUAtSCxLywsnv).
More details about the program – //bitmessage(.)org/wiki/Main_Page
We CAN NOT long keep your All keys, for which no fee has been paid, are removed within a week after infection.
README files located in the root of each drive.
The ransom price which is asked is 0.39 BitCoins, and although it is claimed that this is 250 US dollars, right now it is around 270 US Dollars. The paying instructions are written in Russian, so it is logical that mainly Rissian speaking countries will be infected. It is strongly unadvised to pay the ransom. Paying can only serve as motivation for the malware owners. Nothing can guarantee that you will get your files back after paying.
The RAA SEP ransomware uses an AES 256-bit algorithm for encryption. The file extensions that this ransomware searches to encrypt are:
→.doc, .docx, .xls, .rtf, .pdf, .dbf, .jpg, .dwg, .cdr, .psd, .cd, .csv, .mdb, .png, .LCD, .zip, .rar
- Program Files (x86)
- Program Files
If the .JS file is uploaded on the VirusTotal website, you can see that some security programs are already detecting it:
RAA SEP ransomware is confirmed to also delete the Shadow Volume Copies from the Windows operating system.
Remove RAA SEP Ransomware and Restore .locked Encrypted Files
If your computer was infected by the RAA SEP ransomware, you should have some experience with removing malware. You should remove the ransomware as soon as you can as it may encrypt other files and further spread the network you are in currently. We recommend that you remove this ransomware and follow the step-by-step instructions written below.