According to Kaspersky:
Specifically targeting Russian-speaking countries, the spam emails containing RAA #2 are clearly directed at corporate employees, with a message that attempts to fool the recipient into thinking they are past due on a payment and may be subject to litigation. The message also claims that internal security regulations require the recipient to enter the password 111 in order to open the attached file.
It should be noted that sending malicious content in a password-protected archive is a well-known trick used by cyber-criminals to prevent anti-malware systems installed on mail servers from unpacking the archive and detecting any malicious content. To unpack an archive like this, the anti-malware product must automatically retrieve the password from the message, which isn’t always possible.
Once installed the Trojan-Ransom.JS.RaaCrypt.ag opens an RTF file that poses as a Microsoft Word document in order to distract users while their files are encrypted. As for the ransom, no amount is specified, instead, the victim is given ways to contact the attacker via email or BitMessage and warns victims that their files are encrypted by the algorithm AES, which is used “to protect the state secret.”
The Pony trojan resides as an executable inside of RAA’s code, exfiltrates the infected machine’s confidential data. The attacker can then gain access to the victim’s contacts and other resources, presumably to carry out more targeted attacks.
More Information About Trojan-Ransom.JS.RaaCrypt.ag
For more information about this ransomware, please view the blog post by Kaspersky lab researchers below: