Jaff, a new ransomware threat with possible ties to Locky, burst onto the scene on May 11, flooding networks with high-volume email spam campaigns via the Necurs botnet and demanding well over $3,000 in extortion money to free victims' encrypted files.
The spam emails include a PDF attachment with an embedded Word document containing a malicious VBA macro that downloads the ransomware payload from one of multiple domains. On Thursday, Proofpoint reported detecting "tens of millions of messages" with these PDF attachments. Likewise, Forcepoint reported that within a four-hour period, the number of Jaff attacks observed by its systems totaled 13 million, with traffic volumes peaking at nearly 5 million attack emails per hour.
Other cybersecurity companies cited lower, but still significant volumes of Jaff spam sent by Necurs. Check Point Software Technologies reported that at one point, its global sensors detected an infection rate of approximately 10,000 emails sent per hour. And Cisco Talos reported observing over 100,000 malicious messages over two separate campaigns.
The campaign has had a global reach, with organizations in Ireland, Israel, Belgium, the Netherlands, Italy, Germany, France, Mexico, and Australia receiving significant levels of malicious email, Forcepoint further reported. Due to its use of Necurs, which distributed Locky and Dridex reach millions of victims, Check Point even predicted that Jaff "might quickly climb to our list of top malware."
Jaff, which got it name from the file extension it appends to infected files, encrypts over 400 types of files. According to various accounts, Jaff at the very least shares a significant number of attributes with Locky, one of the most widely distributed ransomwares in the world. Both Jaff and Locky heavily rely on Necurs as well as spam emails carrying malicious documents, they share some of the same command-and-control infrastructure, they both debuted with a high-volume campaigns, and their payment sites on Tor resemble each other's. Forcepoint also notes that Jaff, like Locky, attempts to delete itself if the local language on the infected machine is Russian.
In its blog report, Proofpoint asserted that the adversary behind Jaff is the same actor responsible for distributing Locky via Necurs, as well as the Dridex banking malware and Bart ransomware. "The actors behind the distribution of Dridex and Locky regularly try new document types, lures, exploits, and more to deliver their payloads more effectively," Proofpoint stated in its blog post. "After months of distributing Dridex in high-volume campaigns, they introduced Locky ransomware, which ultimately became the primary payload in the largest campaigns we have ever observed. Within months, they also brought Bart ransomware to the scene. While Bart never gained significant traction, the appearance of Jaff ransomware from the same group bears watching."
Talos was more measured, however, noting that while the same actor might be involved, "This is much more than a retooled version of Locky... There is very little similarity between the two codebases... and the malware itself is distinct enough in nature that it should be treated and referred to as a different ransomware family altogether.”
The actual spam lures are surprisingly basic, with simple subject lines referring to a receipt, file or document with a random file number assigned to it. "It does not appear that the attackers put any significant amount of effort into the creation of the emails associated with these campaigns," notes Talos.
Once activated, Jaff generates ransom notes in the form of a .bmp, .html and .txt file, informing victims that they must install and run Tor, then enter in a specific address and decryption ID in order to obtain a private key located on a "secret server in the Internet." Ransom demands observed by researchers ranged from approximately $3,300 in bitcoins to around $3,800.
Noting that the attack appeared "serious and widespread," Malwarebytes in a blog post yesterday credited the discovery of the ransomware to the security researcher S!Ri, who tweeted about the attack on May 11.