Types header

Name  Jaff Ransomware 
Type Crytpo-Ransomware 
Short Description This ransomware carries similar activities related to Dridex and locky Ransomware. This ransomware came into picture just one day before the wannacry ransomware. More than 1,00,000 Emails were noticed in a short while which had an attachment of PDF files. The attackers used Necurs botnet for sending massive spam emails. Once encrypted the encrypted files extension are changed into .WLU format.
Distribution Method  Phishing mails using Necurs botnet.
Image

jaff1

jaff2

jaff3

jaff4

jaff5

More Details

This ransomware made its debut just one day before the devastating WannaCry Ransomware. This was first seen in the cyber world on 11th May 2017. Massive emails were sent in the very beginning stage. This does not have any stealth mode but this Ransomware infection was basically through social engineering (phishing mail). The mail seems so legitimate the content of the mail had an invoice attachment which is the ransomware file that is used for the infection process. Once the victim downloads the file and runs it the encryption starts. More than 10,000 emails per hour were noticed. This ransomware has some similarities of Dridex and Locky ransomware. The attackers used Necurs botnet for sending massive spam emails the same was used for Locky ransomware. Even there were some minor similarities between the codes used to create this ransomware. Forecpoint security labs claim that they noticed more than 5+millions of spam emails in a very short duration. This ransomware demands a whooping amount of 2bitcoins which is around 3700$. The infection process is as followed.

Once the victim downloads the PDF file, the PDF contains a JavaScript files which prompts to open the Word File once the victim clicks on the enable editing to view the file the VBA also called as the ransomware downloader starts it work and downloads the ransomware. Once the ransomware gets successfully downloaded it starts it activity by searching certain extensions once the process is completed the files become unusable. The encrypted files extension gets changed into .WLU format. After this process, the ransomware drops down a Readme.txt file in the victim’s device and also changes the wallpaper (desktop background). The attacker demands 2BTC this has a unique function the decryptor will ask for a unique ID that is placed in the victim’s device after successfully entering the Unique ID the victim is taken to a page where the attacker explains how to make the payment. The look and feel is same as Locky.