Heimdal Security alerts that it seems like the Jaff ransomware is a part of much bigger operations. Jaff first appeared on the same day, when the WannaCry infection did – 12th May – and recently, researchers discovered that a sample of the threat shares server space with a big cybercrime store.
Jaff is being distributed via spam email messages with attached malicious PDF files, sent by the Necurs botnet. According to experts, the cyber gang behind Jaff is the same one, responsible for the Dridex and Locky infections. The same hackers also released the Bart ransomware last year.
According to Heimdal Security, Jaff is tied with a refine cybercrime web marketplace that offers to its potential clients to purchase numerous breached bank accounts as well as balance, location, and email address information. The store also offers for sale stolen credit cards, compromised accounts on eBay, Amazon, PayPal as well as accounts that include financial data like Apple, Asos.com, Best Buy, Bed Bath & Beyond, Barnes * Noble, Booking.com, etc. The prices vary from a less than a dollar to a couple of Bitcoins, experts note. The marketplace doesn’t discriminate which means that anyone is able to purchase stolen credentials.
Statistics shows that the financial institutions with most compromised accounts are from U.S., Canada, Australia, New Zealand, France, Spain, and Italy.
“This doesn’t mean that those specific web shops have been compromised. Cyber criminals use a wide range of tactics to get into victims’ accounts, often focusing on breaking weak and/or reused passwords.” – Heimdal Security`s Andra Zaharia says.
The stolen accounts can be used for all kinds of malicious purposes. The hackers can use them to get financial information about their real owners, they can get quick access to easy cash or turn it into untraceable Bitcoins.
Heimdal Security says that the crime store`s server is hosted in St. Petersburg, Russia, at IP 5.101.66 [.] 85.
“The same server is also part of the infrastructure that fuels the Jaff ransomware attacks that have been sweeping across Europe and the rest of the world.” – Zaharia says.
The marketplace`s domains include http://paysell[.]me, http://paysell[.]bz, http://paysell[.]ws, http://paysell[.]info, http://paysell[.]net, and http://paysell[.]org. Another domain is hosted on TOR -paysellzh4l5lso7[.]onion.
However, even though ransomware infections are usually used for stealing users` information, there is no evidence that the stolen credentials which the Russian cybercrime store offers for sale have been mooched using Jaff. It is possible that other types of malware have been exploited to exfiltrate the stolen data or the exploit of the huge number of credentials which appeared online last year, due to numerous breaches against famous online platforms.
