Jaff Ransomware | Infoblox Threat Center
Select Page

JAFF

The Other Ransomware Attack

Jaff was the other ransomware attack that was launched around the same time as WannaCry. This ransomware attack was launched by Necurs, one of the largest botnets in the world, notorious for spreading threats such as the Locky ransomware and the Dridex banking Trojan. It spread using phishing emails with PDF attachments. Once the user opens the attachment and provides additional permission, the payload gets delivered.

Once downloaded, Jaff attempts to connect to its command and control servers via DNS lookup to “check-in”. Then the encryption proceeds and the victim’s files are locked up until a ransom is paid. The exact amount demanded by the ransom varies over time, but currently averages around 2 Bitcoin (roughly $3,500 dollars).

Jaff – The Other Ransomware Attack
Jaff – The Other Ransomware Attack

Jaff was the other ransomware attack that was launched around the same time as WannaCry. This ransomware attack was launched by Necurs, one of the largest botnets in the world, notorious for spreading threats such as the Locky ransomware and the Dridex banking Trojan. It spread using phishing emails with PDF attachments. Once the user opens the attachment and provides additional permission, the payload gets delivered.

Once downloaded, Jaff attempts to connect to its command and control servers via DNS lookup to “check-in”. Then the encryption proceeds and the victim’s files are locked up until a ransom is paid. The exact amount demanded by the ransom varies over time, but currently averages around 2 Bitcoin (roughly $3,500 dollars).

THE RISE OF AN OLD THREAT

2016 Ransomware remerges as a leading threat
$1B  Payout to ransomware criminals in 2016
6,000%  Increase in ransomware-infected emails in 2017 vs. 2016
#1 Delivery vehicle for ransomware: phishing email attachments

HOW INFOBLOX CAN HELP DEFEAT RANSOMWARE

Visibility into DNS activity to help detect malicious communications to killswitch domainsVisibility into DNS activity to help detect malicious communications to killswitch domains.
Download ActiveTrust Eval Now »

DNS Response Policy Zone (RPZ) to block communications to C&C servers.DNS Response Policy Zone (RPZ) to block communications to C&C servers.
Download ActiveTrust Cloud Eval Now »

Curated and updated threat intelligence to stay on top of new and evolving threatsCurated and updated threat intelligence to stay on top of new and evolving threats.
Read Solution Note »

DHCP and IPAM for discovering what’s on your networkDHCP and IPAM for discovering what’s on your network.
Download DDI Eval »

Sharing information with your existing security tools to rapidly contain threatsSharing information with your existing security tools to rapidly contain threats.
Learn More on Security Ecosystem »

Actionable Network Intelligence including contextual information on malicious activityActionable Network Intelligence including contextual information on malicious activity.
Learn More on Actionable Network Intelligence »

TIMELINE OF JAFF

  • May 11, 2017

    Largest Victim: Russia
    At 1200 UTCC @malwrhunterteam confirms that most affected country was Russia followed by Taiwan and Spain.

  • May 11, 2017

    11 Countries Compromised
    At 1000 UTCC @malwrhunterteam confirms that victims across 11 countries were compromised.

  • May 11, 2017

    First Jaff Campaign Begins
    Initial spam campaign begins at 0800 UTCC with roughly 35,768 messages all containing nm.pdf attachments.
    Talos observes ~ 184 unique samples from first wave.

  • May 12, 2017

    Second Campaign Begins
    Second campaign begins overnight with approximately 72,798 emails, distributing ~294 unique samples with attachments as 201705*.pdf.

  • May 12, 2017

    Locky and Bart
    Reports indicate similarity to Locky and Bart Ransomware with identical payment page and Necurs vector.

  • May 12, 2017

    Necurs Botnet
    Talos confirms that over 100k emails were distributed via
    Necurs botnet within past 24 hours.
    Forcepoint confirms block of 13 million emails per hour.
    CheckPoint confirms global sensors registering a rate of 10,000 emails per hour.

  • May 15, 2017

    Additional DNS Protection
    Infoblox confirms that a large number of collected IOCs were already added to ActiveTrust feeds. Advanced/Plus subscribers would have received most protection. Infoblox adds more Jaff threats to zones.

  • May 15, 2017

    MalwareC2DGA_Necurs
    Infoblox confirms that 24/33 Necurs DGA domains at https://pastebin[.]com/cRu]Uii2332E existed in DNSFW zones as early as mid April.

  • May 15, 2017

    Cerber Connection
    While many parts of the community noted connections to Locky and Bart, InfoBlox also identified a commonality with Cerber Ransomware.

Find Out if Malware Is Lurking in Your Network.

[contact-form-7 id="10507" title="Contact form 1"]