<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=885880844953016&amp;ev=PageView&amp;noscript=1">

Threat Profile: Jaff Ransomware

Posted by Morphisec Team on May 19, 2017 at 7:03 PM
Morphisec Team
Find me on:

threat-profile.png

Last week, a massive wave of spam email that infects victims with a new type of ransomware, dubbed "Jaff", flooded networks across Europe, North America and Australia. Estimates put the number of malicious emails in the tens of millions.

Who’s Behind the Attack?  

There is some speculation that the threat actor behind Jaff is the same as that behind the infamous Locky ransomware as they use the same distribution and infection methods and the payment site is nearly identical. However, the code is completely different from Locky and it may be that a new threat actor simply stole Locky's payment site HTML.

Who is Affected?

With this kind of widespread malspam campaign, everyone is a potential victim.

What does Jaff Ransomware Do?

Jaff ransomware encrypts the files on the infected system, targeting 423 file extensions according to researchers at Forcepoint. The encrypted files are appended with a “.jaff” extension and a ransom demand is displayed that directs victims to a Tor site payment portal. Victims must pay up to 2 Bitcoins (approx $3,700) to unlock their files.

How it Works

Jaff uses the Necurs botnet to spread spam emails which have a malicious PDF attachment containing an embedded Microsoft Word document. When victims open the PDF, the embedded DOCM file is launched and they are prompted to “enable content.” Once the malicious content is enabled, the Microsoft Word document executes a VBA macro that downloads the Jaff ransomware executable. When the Jaff installer is executed, it connects with a C&C server to notify that a new victim has been affected and then it proceeds to encrypt the targeted files using AES encryption.

How Does Morphisec Protect You from Jaff Ransomware?

Morphisec stops the Jaff ransomware executable before it can perform any malicious activity.

New Call-to-action

Topics: Cyber Attacks, Cyber Security, Endpoint Security, Ransomware, Threat Profile

Welcome to our Blog

Keeping you in the loop with company updates, industry insight, cyber security trends, and cyber attack information.

Subscribe to the blog

Morphisec Named a Cool Vendor 2016

Morphisec is a Gartner Cool Vendor 2016

Each year Gartner identifies new Cool Vendors it considers innovative or transformative. Morphisec is honored be to named a Cool Vendor 2016. Here's more....

 

Recent Posts

Most Popular Posts