‘Jaff’ enters the ransomware scene, Locky-style

Please note: this post is not related to the global WannaCry outbreak on Friday 12 May 2017. For ongoing updates on WannaCry, please run into our related blog post.

Forcepoint Security Labs have observed today a major malicious e-mail campaign from the Necurs botnet spreading a new ransomware which appears to telephone call itself ‘Jaff’, peaking within our telemetry at nearly 5m emails per hour.  The emails sent past this campaign may wait spartan to the professional eye but, as ever, the human point of interaction with systems is the most vulnerable: by potentially reaching so many individuals, campaigns such equally this tin – and practise – succeed in infecting people. Add together to this a ransom of 1.79 Bitcoins (approximately $iii,300 at the time of the campaign) and the potential ‘value’ of the campaign is pregnant.


The campaign started just before 09:00 BST and had largely peaked past 13:00 BST. During this short flow, over 13 1000000 emails were recorded and blocked past our systems. The graph below shows the hourly volumes recorded:

The campaign has a global scope: the graph beneath shows the meridian twenty recipient TLDs recorded within our telemetry. Mayhap unsurprisingly, .com domains make up the majority of the recipients recorded. However, organisations in Ireland, Israel, Belgium, the netherlands, Italy, Frg, France, United mexican states, and Australia also received a significant volume of malicious e-mail during this campaign. Further down the list, TLDs for countries such as Sri Lanka, Peru, and Costa rica were recorded highlighting the breadth of this entrada.

The campaign theme is a imitation document with the post-obit e-mail subject format:

PDF_{four or more digits}
Scan_{four or more than digits}
File_{4 or more digits}
Copy_{four or more than digits}
Document_{4 or more digits}
Receipt to impress

A screenshot of i of the malicious emails is shown beneath:

The fastened PDF contains an embedded DOCM file with a malicious Macro script. This script will then download and execute the Jaff ransomware.

Possible ties with Locky

Jaff targets 423 file extensions. A consummate list of these is provided at the end of this blog. It is capable of offline encryption without dependency on a command and command server. In one case a file is encrypted, the ‘.jaff’ file extension is appended.

In every affected folder, the ransom notes ‘ReadMe.bmp’, ‘ReadMe.html’ and ‘ReadMe.txt’ are dropped while the desktop background of the infected system is also replaced. All of these components contain a message similar to the following:

Meanwhile, in that location are a few indicators of a possible association between Jaff and the infamous Locky ransomware. For starters, both Jaff and Locky are spread by the Necurs botnet. Additionally, The Tor-based payment sites for both families resemble each other:

While the code behind Jaff is less sophisticated than Locky’s, it attempts to delete itself if the local language of the machine is ‘LANG_RUSSIAN’ (0x19). Locky is known to implement a similar filtering:

Finally, Jaff attempts to connect to the C2 server fkksjobnn43[.]org which is hardcoded in its code. This is a known Locky domain.

Protection statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Phase 2 (Lure) – Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) – Jaff variants are prevented from being downloaded.
Stage half-dozen (Call Home) – Attempts by Jaff to contact its C&C server are blocked.


It’southward easy to be dismissive of broad-accomplish email campaigns such as this and focus on the more ‘glamorous’ earth of spearphishing. The emails sent past this entrada may look spartan to the professional person eye simply, as ever, the human point is the weak point: by potentially reaching and then many people, campaigns such as this can – and exercise – succeed in infecting people.

This wide scope, coupled with low antivirus detection rates at the time of the entrada, again highlights the necessity of defence-in-depth.

At the time of writing it is unclear if Jaff’s links with Locky extend beyond the visual construction of the URLs and documents employed. What is articulate, given the volume of messages sent, is that the actors backside the campaign accept expended significant resource on making such a 1000 entrance. With the high ransom value suggesting the perpetrators of this entrada intend to recoup their costs, it would exist surprising if Jaff fades from the limelight as suddenly.

Indicators of Compromise


        SHA256  5722daf5c0b91363808d46a2c5b93a8f70f0dadd94866148d1d77975ba04d211 SHA1    f98a35ab5f9fa47a49db5535b654cebb5bc99bf5
        Jaff ransomware
        SHA256  0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f SHA1    8ab568db2bc914e3e6af048666eb0bc4ba2e414d

Download URLs

hxxp://takanashi[.]jp/f87346b hxxp://babil117[.]com/f87346b hxxp://easysupport[.]us/f87346b hxxp://julian-g[.]ro/f87346b hxxp://phinamco[.]com/f87346b hxxp://techno-kar[.]ru/f87346b hxxp://tiskr[.]com/f87346b  hxxp://trans-atm[.]com/f87346b hxxp://trialinsider[.]com/f87346b  hxxp://wipersdirect[.]com/f87346b

Targeted file extensions

.xlsx .acd .pdf .pfx .crt .der .cad .dwg .MPEG .rar .veg .zip .txt .jpg .dr. .wbk .mdb .vcf .docx .ics .vsc .mdf .dsr .mdi .msg .xls .ppt .pps .obd .mpd .dot .xlt .pot .obt .htm .html .mix .pub .vsd .png .ico .rtf .odt .3dm .3ds .dxf .max .obj .7z .cbr .deb .gz .rpm .sitx .tar .tar.gz .zipx .aif .iff .m3u .m4a .mid .key .vib .stl .psd .ova .xmod .wda .prn .zpf .swm .xml .xlsm .par .tib .waw .001 .002 003. .004 .005 .006 .007 .008 .009 .010 .contact .dbx .jnt .mapimail .oab .ods .ppsm .pptm .prf .pst .wab .1cd .3g2 .7ZIP .accdb .aoi .asf .asp. aspx .asx .avi .bak .cer .cfg .class .config .css .csv .db .dds .fif .flv .idx .js .kwm .laccdb .idf .lit .mbx .medico .mlb .mov .mp3 .mp4 .mpg .pages .php .pwm .rm .condom .sav .salve .sql .srt .swf .thm .vob .wav .wma .wmv .xlsb .aac .ai .arw .c .cdr .cls .cpi .cpp .cs .db3 .docm .dotm .dotx .drw .dxb .eps .fla .flac .fxg .coffee .m .m4v .pcd .percent .pl .potm .potx .ppam .ppsx .ps .pspimage .r3d .rw2 .sldm .sldx .svg .tga .wps .xla .xlam .xlm .xltm .xltx .xlw .human activity .adp .al .bkp .alloy .cdf .cdx .cgm .cr2 .dac .dbf .dcr .ddd .design .dtd .fdb .fff .fpx .h .iif .indd .jpeg .mos .nd .nsd .nsf .nsg .nsh .odc .odp .oil .pas .pat .pef .ptx .qbb .qbm .sas7bdat .say .st4 .st6 .stc .sxc .sxw .tlg .wad .xlk .aiff .bin .bmp .cmt .dat .dit .edb .flvv .gif .groups .hdd .hpp .log .m2ts .m4p .mkv .ndf .nvram .ogg .ost .pab .pdb .pif .qed .qcow .qcow2 .rvt .st7 .stm .vbox .vdi .vhd .vhdx .vmdk .vmsd .vmx .vmxf .3fr .3pr .ab4 .accde .accdt .ach .acr .adb .srw .st5 .st8 .std .sti .stw .stx .sxd .sxg .sxi .sxm .tex .wallet .wb2 .wpd .x11 .x3f .xis .ycbcra .qbw .qbx .qby .raf .rat .raw .rdb rwl .rwz .s3db .sd0 .sda .sdf .sqlite .sqlite3 .sqlitedb .sr .srf .oth .otp .ots .ott .p12 .p7b .p7c .pdd .pem .plus_muhd .plc .pptx .psafe3 .py .qba .qbr.myd .ndd .nef .nk .nop .nrw .ns2 .ns3 .ns4 .nwb .nx2 .nxl .nyf .odb .odf .odg .odm .ord .otg .ibz .iiq .incpas .jpe .kc2 .kdbx .kdc .kpdx .lua .mdc .mef .mfw .mmw .mny .moneywell .mrw.des .dgc .djvu .dng .drf .dxg .eml .erbsql .erd .exf .ffd .fh .fhd .greyness .grey .gry .hbk .ibank .ibd .cdr4 .cdr5 .cdr6 .cdrw .ce1 .ce2 .cib .craw .crw .csh .csl .db_journal .dc2 .dcs .ddoc .ddrw .ads .agdl .ait .apj .asm .awg .back .backup .backupdb .banking concern .bay .bdb .bgt .bik .bpw .cdr3 .as4

Note: This page was edited on eleven-May-2017 to right an error in a mentioned C2 URL.

Source: https://www.forcepoint.com/blog/x-labs/jaff-enters-ransomware-scene-locky-style

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …