Adding to the havoc created by the recent outbreak of the WannaCry Ransomware is a new entry to the list of encrypting ransomware called ‘Jaff’. Reportedly, this variant has been created by the authors of the Locky ransomware. The source of this ransomware is the Necurs botnet which is using PDF files with embedded docm to distribute this malware.
Although its occurrence was overshadowed by the WannaCry – known to be the world’s biggest ransomware attack, the Jaff ransomware has successfully kept its persistence in the wild. In this attack, spam emails are sent to victims that contain nm.pdf [file name then changed to randomNo.pdf in later mails] as attachments with embedded docm files.
In earlier incidents, such unprecedented spam campaigns were observed delivering the Dridex Banking malware and then Locky ransomware.
How the Jaff ransomware attack happens
1) The targeted victim will receive an email attachment. This may have keywords such as ‘document’, ‘copy’, ‘scan’, etc., in the subject line as shown below.
2) In the above screenshot, the attached nm.pdf contains embedded objects with names such as “U3JPCNQ.docm”, TZLEHYM.docm, etc.
3) Once the victim opens the PDF file, the system’s Adobe reader will throw a warning message stating that the file contains an attachment which may contain viruses or macro.
4) If the user selects ‘Open this file’, the docm file with ‘enable content’ option will get open.
5) Once the macro is enabled, it tries to communicate with hosts stored in an array as shown below (fig 4). It will try to communicate with the hosts one by one. And if it gets any response from any host, it will download malicious content and infect the system with the Jaff ransomware. Otherwise, it will try to connect to the other hosts until it gets any response.
Command and control server communication
6) The downloaded malicious executable starts encrypting the files stored on the victim’s computer with AES encryption, and appends ‘.JAFF’ extension to these files before displaying a ransomware note as shown below. Reportedly, Jaff demands a ransom of $3,300 which is 10 times as much as the ransom demanded by WannaCry ransomware – $300.
Currently, files encrypted by the Jaff ransomware cannot be decrypted.
Malicious URLs observed
How Quick Heal helps
1) Quick Heal’s Email Security feature detects and deletes malicious email attachments such as the ones observed in the case of Jaff ransomware even before they are opened and affect the system.
2) Quick Heal successfully detects PDF and embedded docm files.
3) The Ransomware Protection feature of Quick Heal detects and prevents encryption activity performed by the Jaff ransomware.
How to stay protected against ransomware attacks
Subject Matter Expert
Smita Kuyte | Quick Heal Security Labs