Malware News Jaff Ransomware Distributed via Necurs MALSPAM and asking for a $3,700 Ransom

[Solarquest]

A new ransomware was found today by MalwareHunterTeam called Jaff Ransomware. In general, there is nothing special about this ransomware other than it is being heavily distributed and that they stole the payment site html from Locky. Otherwise, Jaff is your garden variety ransomware that encrypts files using AES encryption and appends the .jaff extension to encrypted files.

Unfortunately, after analysis by Emsisoft's Fabian Wosar it was determined that the Jaff Ransomware is not decryptable. With that said, there may be methods that can be used to recover some of the files, so please contact Emsisoft or the helpers at BleepingComputer before paying a ransom. If you want to discuss this ransomware or receive support, you can ask in our dedicated Jaff Ransomware Support & Help Topic.

Now, let's take a look at how Jaff is being distributed and executed.

Jaff Ransomware being Distributed by MALSPAM
According to CERT-Bund, Jaff is being heavily distributed via MALSPAM from the Necurs botnet. These SPAM emails will have subjects like Scan_84686473 and will contain an attached PDF called nm.pdf. The different subject lines that are being used are:

Copy_[Random Numbers]
Document_[Random Numbers]
Scan_[Random Numbers]
File_[Random Numbers]
PDF_[Random Numbers]

When a victim opens the SPAM email all they will see is the PDF attachment as shown below.
...

 

[Solarquest]

Jaff ransomware: The new Locky?

The Emsisoft Lab analyses the latest ransomware threat: What is Jaff ransomware, and how to prevent becoming a victim?
...
Ransomware continues to be a growing security threat, with new families cropping up every week. Emsisoft researchers are often involved in the discovery and analysis of new threats, and this ransomware is no different. Originally spotted earlier today, Jaff ransomware caught our attention due to it being spread via the Necurs botnet, which before spread ransomware such as Locky, and already having a large number of submissions to ID-Ransomware.

...
While the last Locky variants consist of almost 800 different functions, the Jaff code consists of only about 50, making Jaff a lot less feature complete and sophisticated.

Meet Jaff ransomware
Jaff is written in C and is packed using a custom malware obfuscator. Obfuscators are tools that are used by malware authors to hide malware underneath potentially multiple layers of encryption and compression in order to make their analysis more difficult.
..

 

[Winter Soldier]

$3,700 ransom? Absurd, but this should push people using a serious backup policy.
You can save your data in a variety of ways to external and offline supports without worries.
Also creating an OS image that contains your operating structure, is very simple, for example, using Macrium, for free.

 

[Parsh]

“Necurs is a modular malware that can be used for many different purposes. What’s new with the sample we found is the addition of a module that adds SOCKS/HTTP proxy and DDoS capabilities to this malware”
“Given the size of the Necurs botnets (more than one million IP/24 hours in the largest botnet), even the most basic techniques should produce a very powerful attack”
Jeff is currently detected by about 25 engines on VT, but just look at how crazily the infection can be propagated to millions of IP everyday! Yeah, backup people.

 

[Winter Soldier]

“Necurs is a modular malware that can be used for many different purposes. What’s new with the sample we found is the addition of a module that adds SOCKS/HTTP proxy and DDoS capabilities to this malware”
“Given the size of the Necurs botnets (more than one million IP/24 hours in the largest botnet), even the most basic techniques should produce a very powerful attack”
Jeff is currently detected by about 25 engines on VT, but just look at how crazily the infection can be propagated to millions of IP everyday! Yeah, backup people.

Often it is very difficult for security researchers to analyze new sophisticated malware.
Code obfuscation and encrypted functions may require many days of analysis, and in the meantime, the malware attacks.
So yeah, we have to use our only truly safe weapon: the backup.

 

[jamescv7]

All I can see here is on how a ransomware advertise, the more money involved then chances of returning the file from encryption is better.