'Locky-style' ransomware Jaff is on the loose, warns Forcepoint

Ransomware demands 1.79 Bitcoin - or £2,780 - to unlock ransomed files

Jaff, ransomware that has familiar traits to the Locky malware, is sending five million emails an hour in an attempt to infect users' PCs - and will demand 1.79 Bitcoin (£2,780) to unlock encrypted computer files if it succeeds.

According to Forcepoint Security Lab, the malicious email campaign stems from the Necurs botnet. The company said that while the emails may be considered an obvious attempt at infecting a device to professionals, it is likely to infect some machines because of its potential reach and ‘human vulnerability'.

The campaign started yesterday morning at 9am and had peaked by 1pm. During this period, more than 13 million emails were recorded and blocked by Forcepoint's systems.

The security company said that the campaign had gone global - primarily affecting organisations in the UK and US, as well as Ireland, Belgium, the Netherlands, Italy, Germany, France, Mexico and Australia.

The campaign sends an e-mail to users with an attached PDF document, that contains an embedded DOCM file with a malicious Macro script. Once clicked on, the script will download and execute the Jaff ransomware.

The ransomware targets 423 file extensions, and is capable of offline encryption without dependency on a command and control server. Once a file is encrypted, the '.jaff' file extension is appended.

In every affected folder, ransom notes are dropped in while the desktop background of the infected system is also replaced. All of the ransom notes tell users that their files are encrypted, and that to decrypt files the user needs to obtain the private key which "is located on a secret server in the internet".

It tells the user to install Tor Browser, and enter a web address onto it, and follow the instructions.

‘Cousin Locky'

Forcepoint suggested that there were a few indicators of a possible association between Jaff and Locky. Locky was also spread by the Necurs botnet, while the Tor-based payment sites for both types of malware were similar. Both of the malware's code attempts to delete itself if the local language of the machine is ‘LANG_RUSSIAN', and Jaff attempts to connected to a C2 server that is a known Locky domain.

"It is unclear if Jaff's links with Locky extend beyond the visual structure of the URLs and documents employed," Forcepoint said.

"What is clear, given the volume of messages sent, is that the actors behind the campaign have expended significant resources on making such a grand entrance. With the high ransom value suggesting the perpetrators of this campaign intend to recoup their costs, it would be surprising if Jaff fades from the limelight as suddenly".

Locky is a strain of Dridex, which made its name after attacking a hospital in the US, making it pay $17,000 in bitcoin to decrypt important data.

Computing's Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017.

Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things.

Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now.

AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists - and secure a table for your team at the Awards - now