Jaff ransomware

Cyber attacks continue to grab the headlines worldwide, as threat actors use ransomware to extort money from potential victims. Previously this kind of attack could be removed from an infected computer but recent ransomware attacks have caused major issues, even for the experts.

“Scareware” as it is also known, intimidates users into paying a fee and the latest malware is no exception. Jaff Ransomware sent millions of malicious emails across the world demanding money from users by locking their files. This proves that when it comes to cyber security computer users are still very much behind the ball.

Bitcoin payment was demanded in this strain as this type of cryptocurrency offers up anonymity, yet recent ransomware demands have also asked for iTunes cards as well as Amazon gift cards.

What Is Jaff Ransomware?

Dozens of firms have been victims of global cyber attacks recently and Jaff is yet another to add to the list. The UK’s National Health Service was crippled by the WannaCry attack recently that also went on to hit computers in over 150 countries.

Ransomware then holds computers to ransom until their demands are met. In the case of the Jaff infection, it takes the victim to a Tor payment portal demanding $3,700 to unlock their files, with the payment being made in two Bitcoins. Once paid, the encrypted files are accessible again.

How It Works

The Jaff ransomware is hidden in an email as an attachment in the form of a Microsoft Word document and it is distributed by the Necurs botnet. Microsoft Word documents contain macro scripting in a PDF phishing email that implies the user needs to open an important report or document.

The user downloads the PDF file that contains macro scripting then an embedded DOCM file requests that the user ‘enable content’ and it encrypts targeted files. Jaff then connects with a C&C server to notify of the latest victim while a set of “ReadMe” files explains that a private key is required to decrypt their files.

They are then asked to install a Tor Browser and enter a given address where they need to follow instructions on the web-site. It is here the two Bitcoin ransom is demanded with file access restored once paid.

Who Is Behind The Attack?

Many cyber security experts point towards the Locky ransomware attack as perhaps the same people as the Jaff attack has used the same distribution and infection method, while the demand for the Bitcoins points to an almost identical site as Locky.

The site also has the exact layout and color scheme as Locky which has led to speculation among security researchers that this latest malspam campaign has merely borrowed its predecessors methodology, which was a huge success as ransomware in 2016. Thus, new threat actors are believed to be behind the Jaff Ransomware cyber attack.

Security advisors are now aware of the techniques and tactics of phishing attempts and have set up procedures to anticipate any future threats, though you can guarantee the threat actors’ next moves will be to ensure they remain a step ahead of the game.