Jaff Ransomware Causes Havoc

What Is It?

Jaff ransomware was first released into the wild on May 11, 2017, just a day before the initial WannaCry attack. Due to the significantly greater scope and impact of WannaCry, Jaff has been somewhat overshadowed in terms of coverage.

It was spread via malicious spam emails sent by the Necurs botnet. The Necurs botnet has been in existence since 2012 and although temporarily going offline in June 2016 for a few weeks, has been responsible for distributing various malware families, including the Dridex banking trojan and Locky ransomware. At its peak, it is believed approximately 5 million malicious spam emails were being sent per hour in an attempt.

The spam emails used to distribute Jaff used subject lines that included Copy_, Document_, Scan_, File_ or PDF_ followed by random numbers. The infection vector was an attached PDF file which contained an embedded Microsoft Word DOCM document. This document contained a malicious macro, which if permitted to run by the user, downloaded and immediately executed the Jaff ransomware. However, if the infected system used Russian as the default language, Jaff would delete itself prior performing any encryption.

When executed, the ransomware searched for and encrypted files matching 424 specific file extensions. Encrypted files had the “.jaff” extension appended to their filenames, which is the root of its name. The file encryption was cryptographically secure, which meant that there was no way to decrypt the files without the decryption key. The attackers requested payment of just over 2 bitcoins (about US$12,500). It appeared that the ransomware’s authors copied the payment request code from the Locky ransomware.

How Does It Propagate?

Jaff ransomware does not contain the necessary code to self-propagate, unlike WannaCry. The attack vector was spam emails with PDF attachments which contained an embedded Microsoft Word file. This Word file had a malicious macro, which if the user was convinced to allow it to run, downloaded and execute the ransomware.

When/How Did BluVector Detect It?

The Jaff ransomware attack initially consisted of the PDF file containing the malicious Microsoft Word document and the Jaff ransomware executable. BluVector’s patented Machine Learning Engine (MLE) detected both. Regression testing has shown the PDF file would been detected 44 months prior to its release in May 2017 and the Jaff ransomware would have been detected 5 months prior to its release. In fact, in May 2017, BluVector detected over 2,000 instances of Jaff at IBC Bank, even before Jaff had been identified and named by anti-virus vendors.

All Threat Reports