Jaff Ransomware Article | Cyber Security Talks
Please enable Javascript in your browser.

Jaff ransomware demands $3,600 to decrypt your files

By on May 11, 2017

Pay to Decrypt

Jaff is spreading in a similar way to the infamous file-encrypting malware Locky and even uses the same payment site template, but is nonetheless a different monster. Attached to dangerous emails is an infectious PDF containing an embedded DOCM file with a malicious macro script.

This script will then download and execute the Jaff ransomware.

Both Locky & Jaff used the Necurs botnet and a booby-trapped PDF, Malwarebytes notes.

This is where the comparison ends, since the code base is different as well as the ransom itself," said Jérôme Segura, a security researcher at Malwarebytes. "Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing.

Jaff ransomware payload [source: Malwarebytes blog]

Proofpoint reckons. Jaff may be the work of the same cybercriminals behind Locky, Dridex and Bart (other nasty malware) but this remains unconfirmed.

And Forcepoint Security Labs reports that malicious emails carrying Jaff are being cranked out at a rate of 5 million an hour on Thursday, or 13 million in total at the time it wrote up a blog post about the new threat. at the rate of 5 million emails per hour and hitting computers across the globe.

Carl Leonard, principal security analyst for Forcepoint, commented: "It's unclear if Jaff's links with Locky extend beyond the visual structure of the URLs and documents employed. What is clear given the 13+ million messages sent is that the actors behind the campaign have expended significant resources on making such a grand entrance".


A look inside Jaff ransomware


Written in C and is packed using a custom malware obfuscator. Obfuscators are tools that are used by malware authors to hide malware underneath potentially multiple layers of encryption and compression in order to make their analysis more difficult.

Like most ransomware families, Jaff renames the files it encrypts, adding the .jaff extension. When infecting a system, it drops HTML-based, text-based and picture-based ransom notes named ReadMe.htm, ReadMe.txt and ReadMe.bmp, respectively:

The ransom note Jaff displayed after successful encryption of an infected system

Jaff only contains English ransom note texts at the moment. Current versions ask for a ransom of about 2.036 bitcoins, which is currently worth around 3500 Euros, 3800 US Dollars or 3000 British Pounds.

How does a user get infected with Jaff ransomware ?


Jaff is spread via the Necurs downloader/botnet. Previously Necurs was used to distribute Dridex and Locky, which led many researchers to believe that Jaff may be an evolution of the Locky ransomware. However, after analyzing both Locky and Jaff it can be concluded that Jaff ransomware is a completely different and much less sophisticated ransomware family.

At present, Necurs is targeting users via emails with one of following the subjects:

  • Scan_<numbers>
  • File_<numbers>
  • PDF_<numbers>
  • Document_<numbers>
  • Copy_<numbers>

The emails contain a PDF document as an attachment and ask the user to open the embedded document-macro (DOCM) file embedded within the PDF document:

Necurs PDF document containing the Macro dropper and requesting the user to open it

If the user chooses to open the DOCM file, it will then prompt the user to “Enable Content” in order to view the document properly:

Necurs employs social engineering techniques to tempt the user into enabling macros

If the user clicks the “Enable Content” button, the malicious macro contained inside the document becomes active and starts executing. The macro will contact its command and control server and downloads various other XOR encoded executable files, that it then decodes and executes on the user’s system.



Jaff Key generation and encryption


Jaff uses a mix of RSA and AES to encrypt the user’s data. To facilitate encryption on a system, the Windows CryptoAPI is used. When Jaff arrives on a system, it will first import the malware author’s public RSA key. Once the malware author’s public RSA key has been successfully imported, the malware continues by creating a new 256 bit AES key.

The ransomware then searches all available drives and network shares for files with one of the following extensions:

Once a file matching one of those extensions has been found, the malware will encrypt up to the first 512 KB using the 256 bit AES key in CBC mode. It will then encrypt the AES key using the malware author’s public RSA key and stores it together with a magic header value, the size of the encrypted block and the encrypted bytes inside a new file. Last but not least it appends any non-encrypted data to the file.

This procedure may look convoluted at first but essentially allows the malware author to operate without the need of a command and control server that the malware would have to talk to during infection and that could be taken down. This means that Jaff can and does encrypt files without an internet connection.

Unfortunately, after evaluating the way Jaff performs its encryption, there is no way to restore encrypted files without access to the malware author’s private key. However, due to some oversights by the ransomware authors, it may be possible to restore some files via other means.


How can you Protect yourself from the Jaff Ransomware ?


To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.

Check if macros are disabled in your Microsoft Office applications. If not, block macros from running in Office files from the Internet. In enterprises, your system admin can set the default setting for macros.

To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.



Elmalla A. (@elmalla) is Chief Sales Officer at i-AWCS, which focuses on web application security solutions.