Morphisec Cybersecurity Blog

Threat Profile: Jaff Ransomware

Written by Morphisec Team | May 19, 2017 at 11:03 PM

Last week, a massive wave of spam email that infects victims with a new type of ransomware, dubbed "Jaff", flooded networks across Europe, North America and Australia. Estimates put the number of malicious emails in the tens of millions.

Who’s Behind the cyberAttack?  

There is some speculation that the threat actor behind Jaff is the same as that behind the infamous Locky ransomware as they use the same distribution and infection methods and the payment site is nearly identical. However, the code is completely different from Locky and it may be that a new threat actor simply stole Locky's payment site HTML.

Who is Affected?

With this kind of widespread malspam campaign, everyone is a potential victim.

What does Jaff Ransomware Do?

Jaff ransomware encrypts the files on the infected system, targeting 423 file extensions according to researchers at Forcepoint. The encrypted files are appended with a “.jaff” extension and a ransom demand is displayed that directs victims to a Tor site payment portal. Victims must pay up to 2 Bitcoins (approx $3,700) to unlock their files.

How jaff ransomware Works

Jaff uses the Necurs botnet to spread spam emails which have a malicious PDF attachment containing an embedded Microsoft Word document. When victims open the PDF, the embedded DOCM file is launched and they are prompted to “enable content.” Once the malicious content is enabled, the Microsoft Word document executes a VBA macro that downloads the Jaff ransomware executable. When the Jaff installer is executed, it connects with a C&C server to notify that a new victim has been affected and then it proceeds to encrypt the targeted files using AES encryption.

How Does Morphisec Protect You from Jaff Ransomware?

Morphisec stops the Jaff ransomware executable before it can perform any malicious activity.