Jaff targets Windows OS and is distributed via malicious emails delivered via the Necurs botnet. These emails contain subject headers such as Scan_84686473 and PDF attachments named nm.pdf. If the PDF is opened, the user will be prompted to either open an embedded DOCM file or it will launch automatically. Once launched, the user is prompted to enable macros in order to read the document. If the macros are enabled, they will download and execute the Jaff ransomware. Jaff will first connect to its C2 server to alert the hacker behind the campaign that a new system was infected. Jaff then begins the encryption process, using AES encryption and appending .jaff to the ends of affected file names. After a file is encrypted, Jaff encrypts the AES encryption key with an RSA key and append it to the beginning of the encrypted file. Jaff also stores a bitmap image file named WallpapR.bmp in the C:\ProgramData\Rondo folder, used to replace the victim's current Desktop image. It will also drop ransom notes named ReadMe.bmp, ReadMe.html, and ReadMe.txt that contain a unique 10 digit decryption ID and an address to a TOR payment portal. Security researchers first believed that Jaff was a new strain of Locky as the payment site HTML mimics Locky's payment site. Upon closer inspection, however, they determined Jaff's functionality greatly differs from that of Locky. Jaff demands a ransom payment amount of $3,700 worth of Bitcoin.

Extensions appended to encrypted file names:
.jaff, .wlu, .sVn

Ransom note file names:
WallpapR.bmp, ReadMe.bmp, ReadMe.html, ReadMe.txt, README_TO_DECRYPT1.txt, README_TO_DECRYPT1.bmp, README_TO_DECRYPT.html, !!!!!SAVE YOUR FILES!!!!.txt, !!!SAVE YOUR FILES!.bmp

Subject headers associated with Jaff malspam:
Copy_[random numbers], Document_[random numbers], Scan_[random numbers], File_[random numbers], PDF_[random numbers], Copy of Invoice [random numbers], Invoice(random numbers)

UPDATE 5/24/2017: A new version of Jaff appends .wlu to encrypted file names, displays a ransom note that uses green font on a black background, and demands a ransom payment of 0.35630347 Bitcoin. Its distribution method remains the same as the initial version.

UPDATE 6/5/2017: Researchers have discovered a link between Jaff ransomware and a Russian dark web marketplace selling stolen credit card data, suggesting an evolution and diversification of attack methods by profit-motivated cybercriminals.


Image Source: Bleeping Computer