Another nasty variant of Locky ransomware “Jaff” has made its way into our email boxes. This is a major malicious email campaign from the Necurs botnet spreading the Jaff ransomware with a rate of nearly 5 million emails per hour. According to an April analysis by researchers from IBM Security, Necurs is made up of about 6 million infected computers and is capable of sending batches of millions of emails at a time. It is also indirectly responsible for a large percentage of the world’s cybercrime because it’s the main distribution channel for some of the worst banking Trojan and ransomware programs. Unfortunately, since the Necurs Botnet is spreading the the Jaff ransomware you can be sure it will reach a lot of email boxes.
The emails observed so far attempt to mimic the automated emails sent by printers: The subject line is simply one of the words Copy, Document, Scan, File or PDF, followed by a random number.
The attachment is a PDF file called nm.pdf that has a Word document embedded into it. This second document has malicious macros attached and contains instructions for users to allow the code to execute.
If the macros are allowed to run, they will download and install the Jaff ransomware, which immediately starts encrypting files that match a long list of targeted file extensions. After encryption, the affected files will get a .jaff extension appended to them.
The ransomware also creates two files with instructions for making a bitcoin payment in order to obtain a decryption program. The payment portal is hosted on the Tor network and is visually identical to the portal used by the Bart ransomware, suggesting a relationship between these two threats.
While there are some similarities with Locky and Bart, the Jaff ransomware uses a different code base, so it’s a separate program, according to the Malwarebytes researchers.
Another interesting aspect is the ransom amount of 2 bitcoins, or around $3,700, which is significantly higher than what most other ransomware programs ask for.
Users should always be suspicious of unsolicited documents sent to them by email and should never allow the execution of active content inside documents unless they can verify their source. The best protection against ransomware is having a good backup routine in place that makes copies to an external storage device that’s not always connected to the computer.
[contentblock id=97 img=gcb.png]