New Ransomware is 100% Pure JavaScript with No Download Required

New Ransomware is 100% Pure JavaScript with No Download Required

If you’ve ever read a PC security blog, then you’ve probably read a tip like this: don’t download suspicious files from unknown sources.

Everyone knows that tip.

But a new ransomware virus making its way across the internet throws that tip out the window. This new ransomware is 100% JavaScript-based with no download required.

Sound scary? It is.

The new ransomware was spotted by SophosLabs and SurfRight. It’s being called RAA. Some antivirus software is blocking the JavaScript application while other programs are not.

What is Ransomware?

Ransomware is a type of malware that infects your computer and then encrypts valuable data.

After encrypting this data, it locks you out and demands a password. In order to get that password, you need to pay a lofty sum – typically somewhere between $200 and $600 in Bitcoin.

If you don’t pay that sum within a certain period of time, then your data is erased.

Ransomware attacks have taken place against everyone from government organizations to major companies to individual users.

To date, all major ransomware attacks have involved inadvertently downloading a malicious file. Most attacks in 2015, for example, arrived in infected Word documents.

These Word documents would contain a macro, or a series of commands embedded in documents. Instead of performing a useful task, that macro would install ransomware on your computer.

Over the past few months, we’ve seen an increasing number of ransomware attacks arriving through JavaScript attachments.

Criminals Moved Onto JavaScript-Based Malware in Early 2016

Starting in 2016, many online criminals began to switch to JavaScript-based attacks after Word became a less and less lucrative target.

raa ransomware

Criminals still required you to download a file, but the attack strategy tended to be more effective. You’d be prompted to download a file called something like Invoice.txt.js, for example. After you downloaded that attachment and clicked on it, the JavaScript application would run and infect your computer instantly.

JavaScript attachments are particularly effective because users don’t always see the .js file extension (it may appear as invoice.txt.js and look like a .txt file, for example).

Windows also tends to display .js files with a relatively innocent icon – like a gear icon. You rarely get the same warning message you see when installing .exe files from the internet.

Today, Pure JavaScript Attacks Have Been Spotted in the Wild

Now, we’re entering a whole new world of ransomware attacks, where JavaScript isn’t used to download the ransomware: it is the ransomware. Here’s why this is so effective:


-JavaScript is a general purpose programming language that can be adapted for anything from modern scripts to full-blown applications

-JavaScript on Windows (outside your internet browser) doesn’t run in any type of sandbox. It just runs in the Windows Script Host, or WSH, which gives the application complete access to your computer just like a normal application.

-Freely-available encryption source codes can be hidden in the malware. Implementing these JavaScript attacks is much easier because open source programmers have already down the hard work of creating cryptographic source code.


All that’s needed for a Pure JavaScript attack is for the JavaScript malware file to be inside your network. Once this occurs, it’s ready to pop up random messages on its own.

When the attack occurs, it will open a decoy document in Microsoft Word that looks like this:

raa fake error

Photo courtesy of

This tricks you into thinking that you’ve opened a Microsoft Word file instead of a malicious document. So even though you just activated a dangerous JavaScript, you’ll think you just accidentally opened an Office file. This distracts you while the virus goes to work.

Ultimately, the RAA virus will then encrypt your data using AES-256 encryption. You’ll then see a page explaining where to send the payment to unlock your content:



Your files have been encrypted by the RAA malware.

The AES-256 algorithm was used for encryption – the same encryption that is used to protect state secrets.

This means that restoring data is only possible by buying the key from us.

Buying the key is the simplest solution.

The virus demands 0.39 BTC, or about $250 USD.


Ultimately, this malware is not widespread. However, it’s still a significant event because it’s a dramatic new development in the world of ransomware. You no longer have to download an infected file to become victim of a devastating ransomware attack.

Consider downloading antivirus software or anti-malware software like Total System Care today.

No Comments

Sorry, the comment form is closed at this time.