New ransomware Jaff demands $3,700 payments
Security

New ransomware Jaff demands $3,700 payments

Attackers behind the highly successful Locky and Bart ransomware campaigns have returned with a new creation: A malicious file-encrypting program called Jaff that asks victims for payments of around $3,700.

Like Locky and Bart, Jaff is distributed via malicious spam emails sent by the Necurs botnet, according to researchers from Malwarebytes. Necurs first appeared in 2012 and is one of the largest and longest-running botnets around today.

According to an April analysis by researchers from IBM Security, Necurs is made up of about 6 million infected computers and is capable of sending batches of millions of emails at a time. It is also indirectly responsible for a large percentage of the world's cybercrime because it's the main distribution channel for some of the worst banking Trojan and ransomware programs.

Safe to say that since Jaff is being distributed by Necurs, it will hit a lot of mailboxes.

The emails observed so far attempt to mimic the automated emails sent by printers: The subject line is simply one of the words Copy, Document, Scan, File or PDF, followed by a random number.

The attachment is a PDF file called nm.pdf that has a Word document embedded into it. This second document has malicious macros attached and contains instructions for users to allow the code to execute.

If the macros are allowed to run, they will download and install the Jaff ransomware, which immediately starts encrypting files that match a long list of targeted file extensions. After encryption, the affected files will get a .jaff extension appended to them.

The ransomware also creates two files with instructions for making a bitcoin payment in order to obtain a decryptor program. The payment portal is hosted on the Tor network and is visually identical to the portal used by the Bart ransomware, suggesting a relationship between these two threats.

While there are some similarities with Locky and Bart, the Jaff ransomware uses a different code base, so it's a separate program, according to the Malwarebytes researchers.

Another interesting aspect is the ransom amount of 2 bitcoins, or around $3,700, which is significantly higher than what most other ransomware programs ask for.

Users should always be suspicious of unsolicited documents sent to them by email and should never allow the execution of active content inside documents unless they can verify their source. The best protection against ransomware is having a good backup routine in place that makes copies to an external storage device that's not always connected to the computer.

IDG Insider

PREVIOUS ARTICLE

«How to play the Quake Champions open beta this weekend

NEXT ARTICLE

How to make and send selfie stickers in Google Allo»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Add Your Comment

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Will Kotlin overtake Java as the most popular Android programming language in 2018?