OK, so we all had the news about WannaCry shoved in our faces, which is a good thing, however now that it is not headline news anymore does not mean you can let your guard down. There is yet another variant of your typical ransomware on the loose and given it has only come about early this month (May 2017), it means that software vendors may not have had a chance to plug the leaks. Below is a copy/paste from IBM X-Force Exchange and is well worth a read.
New ransomware dubbed as “JAFF” surfaced onto the threat landscape. Initial infection is speculated to have started on May 2nd, 2017 (possibly as early as April 24th, 2017). “The JAFF ransomware is a robust ransomware that leverages some of the most prolifically-used delivery mechanisms in phishing email and embodies characteristics associated with other very successful malware.” The JAFF ransomware utilizes delivery mechanisms (Microsoft Word documents containing macro scripting that were in turn delivered as an embed in PDFs) seen on other well know ransomware campaigns, such as, Bart, Locky and Dridex distributions. Given its similarities to the Locky ransomware, it is possible that the JAFF ransomware is written in C. As mentioned briefly, the ransomware uses .PDF files which run Microsoft Word with embedded malicious macros. Files that are encrypted will receive the .jaff extention (i.e. Test.doc.jaff). The encryption algorithms used are believed to be AES and RSA. In addition, CryptoAPI (which is implemented into the Windows OS) is used for the complex encryption process. One of the JAFF ransomware properties (vssadmin.exe delete shadows /all /Quiet) could erase the Shadow Volume Copies from Windows OS, making recovery techniques difficult which rely on archived Shadow Volume Copies.
It’s believed that the JAFF ransomware is being distributed via Necurs Botnet. Necurs is responsible for an increase in spam-driven malware distribution last year and the main source of Locky infections (Necurs was silent for the first three months of 2017. At the end of March, however, the botnet resumed activity, yet it returned to pushing Locky only in late April). In addition to using the same infection vector as Locky, The JAFF ransomware features a similar payment page too, but appears to be using a different code base. However, the new ransomware is supposedly operated by the same actors that are behind Locky Affid=3 and Dridex 220/7200/7500. Last year, the same threat group released Bart ransomware, a Locky variant that didn’t require connection to a command and control (C&C) server to encrypt victim’s files. “Similarly, after months of distributing Dridex in high-volume campaigns, they introduced Locky ransomware, which ultimately became the primary payload in the largest campaigns we have ever observed. Within months, they also brought Bart ransomware to the scene. While Bart never gained significant traction, the appearance of JAFF ransomware from the same group bears watching”.
Source: IBM X-Force Exchange
Read more here: https://exchange.xforce.ibmcloud.com/collection/JAFF-Ransomware-23c3278e5ee29bc5a439636d34321357