The Jaff ransomware spam campaigns have significantly increased lately. According to Trustwave security experts, they’ve been using a number of decoy files hidden inside malicious PDF attachments in order to encrypt users’ computers.
The Jaff ransomware family was first noticed in May, this year, and it has been distributed through the well-known Necurs spam botnet. Last year, Necrus made a huge spam campaign, and then in December, the botnet suddenly disappeared. However, Necurs was missing only a few months until its return this April.
The numerous spam emails distributed by Necrus which were associated with Locky ransomware, also disappeared in December, but only to came back in April as well.
At the beginning of May, the Necurs botnet started distributing the Jaff ransomware and it keeps doing it. Considering the use of some resources associated with Dridex and Locky ransomware, most probably the gang which created them, is the same responsible for the Jaff threat.
The first version of Jaff ransomware even used a ransom note which was very similar to Locky’s, while the second version adopted a redesigned one, together with the other changes the hackers made.
The Jaff ransomware distribution campaign uses PDF files attached to spam emails that contain hidden Word documents. The subject of the emails varies from fake invoice notifications to fake payment receipts, and from alleged image scans to random file copies.
In any case, the ultimate goal does not change: the Word document inside the PDF file is meant to download and drop a malware executable. Nevertheless, Trustwave researchers claim that the PDF campaigns have been evolving almost daily, and the number of embedded files discovered inside, have been constantly increasing.
“These additional files do nothing, and are probably just decoys. But the main .docm file, with its malicious macro, still acts as the malware downloader,” Homer Pacag from Trustwave says.
The PDF file includes an exportDataObject Launch instruction to drop and launch the embedded .docm file. Once enabled, the Word document’s vbaProject macro component starts downloading the Jaff ransomware from a specific URL.
During the past days, the Jaff version being delivered via the Necurs botnet appends the .wlu extension to the encrypted files (the initial variant was using the .jaff extension). Nevertheless, it keeps using the same URL to take the ransomware victims to the address where they can release their files.