Attackers behind the highly successful Locky and Bart ransomware campaigns have returned with a new creation: A malicious file-encrypting program called Jaff that asks victims for payments of around $3,700.
Like Locky and Bart, Jaff is distributed via malicious spam emails sent by the Necurs botnet, according to researchers from Malwarebytes. Necurs first appeared in 2012 and is one of the largest and longest-running botnets around today.
According to an April analysis by researchers from IBM Security, Necurs is made up of about 6 million infected computers and is capable of sending batches of millions of emails at a time. It is also indirectly responsible for a large percentage of the world’s cybercrime because it’s the main distribution channel for some of the worst banking Trojan and ransomware programs.
Safe to say that since Jaff is being distributed by Necurs, it will hit a lot of mailboxes.
The emails observed so far attempt to mimic the automated emails sent by printers: The subject line is simply one of the words Copy, Document, Scan, File or PDF, followed by a random number.
The attachment is a PDF file called nm.pdf that has a Word document embedded into it. This second document has malicious macros attached and contains instructions for users to allow the code to execute.
If the macros are allowed to run, they will download and install the Jaff ransomware, which immediately starts encrypting files that match a long list of targeted file extensions. After encryption, the affected files will get a .jaff extension appended to them.
The ransomware also creates two files with instructions for making a bitcoin payment in order to obtain a decryptor program. The payment portal is hosted on the Tor network and is visually identical to the portal used by the Bart ransomware, suggesting a relationship between these two threats.
While there are some similarities with Locky and Bart, the Jaff ransomware uses a different code base, so it’s a separate program, according to the Malwarebytes researchers.
Another interesting aspect is the ransom amount of 2 bitcoins, or around $3,700, which is significantly higher than what most other ransomware programs ask for.
Users should always be suspicious of unsolicited documents sent to them by email and should never allow the execution of active content inside documents unless they can verify their source. The best protection against ransomware is having a good backup routine in place that makes copies to an external storage device that’s not always connected to the computer.