Jaff is a ransomware program which appeared a few days before the notorious WannaCry. Since the two viruses are of the same type, the latter got all the attention. WannaCry launched an attack which outshone all other ransomware campaigns at the time. Jaff did not receive as much recognition as it would have in other circumstances.
The history of Jaff ransomware is just beginning. The authors of the virus have already unfolded the next chapter with the release of another build. The second version of Jaff shares some characteristics with its predecessor, but it also has a lot of different features.
Both variants of the ransomware are distributed through the Necurs botnet. The first version used a ransom page which resembled the payment website of Locky. The creators of this ransomware are responsible for releasing two other infections: Dridex and Bart. The three viruses shared a common design for their payment pages. The obvious assumption was that Jaff was made by the same people.
Now that a different variant has been released, there are reasons to believe that Jaff is not related to these infections. Brad Duncan, threat intelligence analyst and handler at the SANS Internet Storm Center of Palo Alto Networks, took the liberty to compare and contrast the two versions of Jaff. The current build drops a ransom note which contains green text written on a dark background. This is a step away from the plagiarized ransom message which copied the Locky design.
Another change is the custom file extension. The first build added the .jaff suffix to the names of the encrypted files. The second uses the .wlu appendix. An important decision the cyber criminals have made is to lower the bar for the payment. The ransom was originally 2 Bitcoins. Now it amounts to 0.35630347 Bitcoins.
The propagation vector has not been switched. The developers of Jaff still make use of spam emails. This is the most common way of spreading ransomware programs, so there is no surprise here. The messages distributing Jaff were first spotted on Tuesday, May 23. They include a .PDF attachment which contains an embedded Word document. The attachment is listed as an invoice. The document transfers the ransomware via macros.
“The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary that’s been XORed with the ASCII string I6cqcYo7wQ,” Brad Duncan explained.
Like its predecessor, the second version of Jaff targets around 400 file formats. Upon completing the encryption, the virus drops a ransom note to inform the victim about the situation. The purpose of the ransom note is to explain what the program has done, state what the demands of the attackers are and list the instructions on how to make the payment.
Time will tell how many devices Jaff ransomware will be able to infect. The alleged connection to a criminal group makes the virus a potential top tier.