A new ransomware was recently discovered on accident by a Reddit user and it’s called RaaS, or Ransomware as a Service (also searched for as Encryptor RaaS). RaaS ransomware is dangerous and free to use. It allows “affiliates” to manufacture their own ransomware and distribute it as they wish. The RaaS ransomware affiliate system is hosted on the TOR network and it allows visitors to create their own ransomware. All an “affiliate” needs to do to obtain their own piece of RaaS ransomware is to simply enter in their own bitcoin address that they can receive payments to. The RaaS developer will then proceed to do the rest of the work. The RaaS developer will collect and validate payments, as well as issue decrypters for the ransomware. In return, the RaaS developer will keep 20% of the collected ransom payments.

RaaS ransomware virus

The RaaS system is very similar to another affiliate ransomware called Tox except the RaaS ransomware service is easier to use and does not have an affiliate console. Since RaaS does not have an affiliate console like Tox the ransomware user will need to trust the RaaS developer to deliver the correct payments. The RaaS affiliate will also need to rely on their own distribution tactics to determine how many of their ransomware infections have been released and properly contracted.

It is suggested that portions of the ransomware or the entire ransomware itself may be written in Java, which could make it the first one of its kind. The executable files have a reference to libgcj-16.dll, which is part of the The GNU Compiler for the Java Programming Language (also known as GCJ). GCJ allows Java programs to be compiled into native Windows executable files.

There is no specific file location or method of infection for this ransomware. The ransomware’s way of infection and executable is left up to the affiliate to determine. Once RaaS ransomware is installed, the ransomware will encrypt files based on their extension and use a custom and currently unknown encryption method. Encrypted files will retain their original extensions unlike other types of ransomware that encrypt files an change the extension from .jpg to another. The files extensions that are targeted by RaaS ransomware are:

abw,accdb,ai,aif,arc,as,asc,asf,ashdisc,asm,asp,aspx,asx,aup,avi,bbb,bdb,bibtex,bkf,bmp,bpn,btd,bz2,c,cdi,cer,cert,cfm,cgi,cpio,cpp,crt,csr,cue,c++,dds,dem,dmg,doc,docm,docx,dsb,dwg,dxf,eddx,edoc,eml,emlx,eps,epub,fdf,ffu,flv,gam,gcode,gho,gif,gpx,gz,h,hbk,hdd,hds,hpp,h++,ics,idml,iff,img,indd,ipd,iso,isz,iwa,j2k,jp2,jpf,jpeg,jpg,jpm,jpx,jsp,jspa,jspx,jst,key,keynote,kml,kmz,lic,lwp,lzma,m3u,m4a,m4v,max,mbox,md2,mdb,mdbackup,mddata,mdf,mdinfo,mds,mid,mov,mp3,mp4,mpa,mpb,mpeg,mpg,mpj,mpp,msg,mso,nba,nbf,nbi,nbu,nbz,nco,nes,note,nrg,nri,ods,odt,ogg,ova,ovf,oxps,p2i,p65,p7,pages,pct,pdf,pem,phtm,phtml,php,php3,php4,php5,phps,phpx,phpxx,pl,plist,pmd,pmx,png,ppdf,pps,ppsm,ppsx,ppt,pptm,pptx,ps,psd,pspimage,pst,pub,pvm,qcn,qcow,qcow2,qt,ra,rar,raw,rm,rtf,s,sbf,set,skb,slf,sme,smm,spb,sql,srt,ssc,ssi,stg,stl,svg,swf,sxw,syncdb,tar,tc,tex,tga,thm,tif,tiff,toast,torrent,tpl,ts,txt,vbk,vcard,vcd,vcf,vdi,vfs4,vhd,vhdx,vmdk,vob,wbverify,wav,webm,wmb,wpb,wps,xdw,xlr,xls,xlsx,xz,yuv,zip,zipx.

Once these files have been encrypted by RaaS ransomware the ransomware will load a encryptor_raas_readme_liesmich.txt file onto the computer. The open encryptor_raas_readme_liesmich.txt file will include instructions on how to obtain access to files encrypted by RaaS ranwomware on TOR network.

An example of encryptor_raas_readme_liesmich.txt is listed below:

ATTENTION!
The files on your computer have been securely encrypted by Encryptor RaaS.
To get access to your files again, follow the instructions at:
https://decryptoraveidf7.onion.to/vict?cust=<cust_id>&guid=<affiliate_id>

NOT PAYED, the price is 0.174911 BTC (Bitcoin). In 71 hours, the price will be 0.349822 BTC (Bitcoin).

Instructions to unlock your files / data:

1. Download and install the Multibit application.

This will give you your own Bitcoin-wallet address. You can find it under the "Request" tab.

2. Buy 0.174911 Bitcoins and send it to your own Bitcoin-wallet address, they will show up in the Multibit app that you installed earlier.

From there, hit the "Send" tab.

RaaS ransomware does not delete Shadow Volume Copies or perform secure deletions of encrypted files like other types of ransomware and this is a very good thing for those who become infected with RaaS. This means that it is possible to restore your files using a program like Shadow Explorer or file restore/recovery (refresh/reset) software unless the RaaS user somehow develops a way to restrict this.

[frame_box]

How to remove RaaS (Virus Removal Guide)

This comprehensive RaaS removal guide will help you remove RaaS virus from your PC and decrypt files encrypted by RaaS ransomware.

[/frame_box]

Remove RaaS virus with Malwarebytes

1. We recommend that you write down the toll free number below in case you run into any issues while removing this infection. Our techs will kindly assist you with any problems you may face.

1-888-986-8411

2. Download and install Malwarebytes Anti-Malware software.

[button link=”https://store.malwarebytes.org/342/cookie?affiliate=23046&redirectto=http%3a%2f%2fdownloads.malwarebytes.org%2ffile%2fmbam%2f&redirecthash=79CD12ECAB939D32967B5D05C6C86E32″ align=”center” bgcolor=”#ff0000″ hoverbgcolor=”#c71414″ hovertextcolor=”#ffffff” textcolor=”#ffffff” size=”large” style=”flat” fullwidth=”false”]Download “RaaS” removal tool[/button]

3. Launch Malwarebytes Anti-Malware software once it has finished installing.

4. Make sure that Malwarebytes has been updated. To ensure it is updated click Update Now on the Dashboard.

Malwarebytes scan for RaaS

5. Click the large Scan Now button on the dashboard to perform a scan with Malwarebytes Anti-Malware software.

6. When the scan is complete click the Remove Selected button and then click the Finish button or restart your computer if Malwarebytes suggests that you do so.

[note align=”left”]If you are still having issues removing RaaS we suggest that use a second opinion scanner such as HitmanPro 3 to locate and remove any computer infection that may be present.[/note]

RaaS virus removal tips

  • If you are still having issues removing RaaS you should use a second opinion scanner such as HitmanPro 3. HitmanPro 3 is the best second opinion scan and removal tool. It can be used to locate and remove remaining threats.
  • It is possible to remove RaaS ransomware from your computer and obtain your files encrypted by Raas by performing a system recovery or restore on Windows 7 and below, or a refresh or reset on Windows 8. Also see : How to refresh or reset Windows 10.
  • If you do not want to restore your computer to a previous state you can try Shadow Explorer software found at shadowexplorer.com.
  • If you need help our tech support team is standing by 24 hours a day. You can reach tech support at: 1-888-986-8411

Reader Interactions

Leave a Reply

Your email address will not be published.