Rajah Ransomware Asks for Bitcoin Ransom

During our analysis of new file submissions, our research team came across the Rajah ransomware, a malicious program belonging to the Makop ransomware family. This specific type of malware is designed with the purpose of encrypting data and extorting payment in exchange for decryption.

Upon testing the Rajah ransomware on our system, we observed that it encrypts files and modifies their titles by appending a distinct ID assigned to each victim, the email address of the cyber criminals, and the ".rajah" extension. As an example, a file originally named "1.jpg" would be transformed into "1.jpg.[2AF20FA3].[rajah@airmail.cc].rajah". Furthermore, the ransomware creates a ransom note labeled "+README-WARNING+.txt".

The ransom note serves as a demand for payment, emphasizing that the victim's files have been encrypted and can only be restored by the attackers. It explicitly warns against attempting to use anti-virus software or third-party recovery tools, as such actions would render the files permanently undecryptable, resulting in irreversible data loss. The victim is informed that the decryption process requires the payment of a ransom in Bitcoin cryptocurrency, with the specific amount not specified.

Rajah Ransom Note Lists No Specific BTC Ransom

The complete text of the Rajah ransom note reads as follows:

XXX Your data has been encrypted XXX

To restore your data, write to rajah@airmail.cc

PLEASE READ THE TEXT BELOW VERY CAREFULLY!!!

1. No one will return your data except us (do not trust third parties)
2. Antivirus and recovery programs will permanently corrupt your data (Even we can't restore it to you!)
3. Payment for the recovery of your data is made in BITCOIN (BTC) !!! BITCOIN ONLY!!!
4. You can buy BITCOIN (BTC) on the website hxxps://www.binance.com/en (Pass a simple registration following the instructions on the site and then purchase BITCOIN (BTC)

If you have read the text above and you need your data, it's time to write to us.

How Can Ransomware Like Rajah Get Inside Your System?

There are several common ways through which ransomware like Rajah can infiltrate your system:

• Phishing Emails: Cybercriminals often distribute ransomware through phishing emails. They craft emails that appear legitimate and convince recipients to click on malicious links or download infected attachments. Once opened, the malware gains access to the system and begins encrypting files.
• Malicious Downloads: Ransomware can be bundled with seemingly harmless downloads from untrusted websites or disguised as legitimate software updates. When users unknowingly download and execute these malicious files, the ransomware takes control of the system.
• Exploiting Software Vulnerabilities: Cybercriminals exploit vulnerabilities in operating systems, software programs, or plugins to deliver ransomware. If your system is not up to date with the latest security patches, it becomes more susceptible to such attacks.
• Drive-by Downloads: Visiting compromised or malicious websites can lead to drive-by downloads, where malware is automatically downloaded and installed without user interaction. This can occur through exploit kits that target vulnerabilities in web browsers or plugins.
• Infected External Devices: Ransomware can spread through infected external devices such as USB drives or external hard drives. When these devices are connected to your system, the malware can initiate its encryption process.