The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Jaff, ransomware that has familiar traits to the Locky malware, is sending five million emails an hour in an attempt to infect users’ PCs – and will demand 1.79 Bitcoin (£2,780) to unlock encrypted computer files if it succeeds.

According to Forcepoint Security Lab, the malicious email campaign stems from the Necurs botnet. The company said that while the emails may be considered an obvious attempt at infecting a device to professionals, it is likely to infect some machines because of its potential reach and ‘human vulnerability’.

The security company said that the campaign had gone global – primarily affecting organisations in the UK and US, as well as Ireland, Belgium, the Netherlands, Italy, Germany, France, Mexico and Australia.

The campaign sends an e-mail to users with an attached PDF document, that contains an embedded DOCM file with a malicious Macro script. Once clicked on, the script will download and execute the Jaff ransomware.

The ransomware targets 423 file extensions, and is capable of offline encryption without dependency on a command and control server. Once a file is encrypted, the ‘.jaff’ file extension is appended.

In every affected folder, ransom notes are dropped in while the desktop background of the infected system is also replaced. All of the ransom notes tell users that their files are encrypted, and that to decrypt files the user needs to obtain the private key which “is located on a secret server in the internet”.

It tells the user to install Tor Browser, and enter a web address onto it, and follow the instructions.

‘Cousin Locky’

Forcepoint suggested that there were a few indicators of a possible association between Jaff and Locky. Locky was also spread by the Necurs botnet, while the Tor-based payment sites for both types of malware were similar. Both of the malware’s code attempts to delete itself if the local language of the machine is ‘LANG_RUSSIAN’, and Jaff attempts to connected to a C2 server that is a known Locky domain.

“It is unclear if Jaff’s links with Locky extend beyond the visual structure of the URLs and documents employed,” Forcepoint said.

“What is clear, given the volume of messages sent, is that the actors behind the campaign have expended significant resources on making such a grand entrance. With the high ransom value suggesting the perpetrators of this campaign intend to recoup their costs, it would be surprising if Jaff fades from the limelight as suddenly”.

Locky is a strain of Dridex, which made its name after attacking a hospital in the US, making it pay $17,000 in bitcoin to decrypt important data.