Jaff ransomware, a new Locky-type encryptor, is being shared around by the same group distributed by the individuals responsible for distributing the Dridex banking Trojan and Locky ransomware. This group has also previously used Bart ransomware to encrypt files in an attempt to steal money from companies.
Different from Locky and many other ransomware strains, the individuals to blame for Jaff ransomware are seeking a huge ransom payment to unlock files, suggesting the new strain will be used to target businesses rather than individuals. The ransom demand per infiltrated machine is 1.79 Bitcoin – around $3,300. The WannaCry ransomware variant only required a payment of $300 per infected machine.
The group have used exploit kits in the past to spread infections, although spam email is used for the most recent campaign. Whether that will remain the sole distribution mechanism remains to be seen. Millions of spam email messages have already sent through the Necurs botnet, according to Proofpoint experts who identified the new encryptor.
The emails have a PDF file attachment instead of a Word document. Those PDF files contain embedded Word documents with macros that will install the malicious payload. This method of sharing has been seen with Locky ransomware in recent weeks.
The alteration in file attachment is believed to be an attempt to trick users into opening the attachments. There has been a lot of publicity about malicious Word documents attached to emails from unknown actors. The alteration could see more end users open the attachments and infect their devices.
Opening the PDF file will result in the user being shown with a screen advising them that the contents of the document are protected. They are asked to ‘enable editing’ by ignoring the security warning and enabling macros. Enabling macros lead to infection. Jaff ransomware will then search for and encrypt a wide variety of file types including images and multimedia files, databases, office documents and backups.
There is no known decryptor for Jaff ransomware at present. Recovery will depend on a viable backup being in place that has not been encrypted by the ransomware. The other options are to pay the sizable ransom payment or permanently lose files.
To safeguard against the threat, an advanced spam filtering solution should be implemented to stop the emails from reaching end users’ inboxes. As a failsafe, staff should be warned about the threat of ransomware and instructed not to open any file attachments from unknown people. They should also be warned about the threat from PDF files containing embedded word documents.