May 11, 2017

'Jaff' enters the ransomware scene, Locky-style

Roland Dela Paz Security Researcher

Please note: this post is not related to the global WannaCry outbreak on Friday 12 May 2017. For ongoing updates on WannaCry, please see our related blog post.

Forcepoint Security Labs have observed today a major malicious email campaign from the Necurs botnet spreading a new ransomware which appears to call itself 'Jaff', peaking within our telemetry at nearly 5m emails per hour.  The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point of interaction with systems is the most vulnerable: by potentially reaching so many individuals, campaigns such as this can - and do - succeed in infecting people. Add to this a ransom of 1.79 Bitcoins (approximately $3,300 at the time of the campaign) and the potential 'value' of the campaign is significant.


The campaign started just before 09:00 BST and had largely peaked by 13:00 BST. During this short period, over 13 million emails were recorded and blocked by our systems. The graph below shows the hourly volumes recorded:

The campaign has a global scope: the graph below shows the top 20 recipient TLDs recorded within our telemetry. Perhaps unsurprisingly, .com domains make up the majority of the recipients recorded. However, organisations in Ireland, Israel, Belgium, the Netherlands, Italy, Germany, France, Mexico, and Australia also received a significant volume of malicious email during this campaign. Further down the list, TLDs for countries such as Sri Lanka, Peru, and Costa Rica were recorded highlighting the breadth of this campaign.


The campaign theme is a fake document with the following email subject format:

PDF_{four or more digits}
Scan_{four or more digits}
File_{four or more digits}
Copy_{four or more digits}
Document_{four or more digits}
Receipt to print

A screenshot of one of the malicious emails is shown below:

The attached PDF contains an embedded DOCM file with a malicious Macro script. This script will then download and execute the Jaff ransomware.


Possible ties with Locky

Jaff targets 423 file extensions. A complete list of these is provided at the end of this blog. It is capable of offline encryption without dependency on a command and control server. Once a file is encrypted, the '.jaff' file extension is appended.

In every affected folder, the ransom notes 'ReadMe.bmp', 'ReadMe.html' and 'ReadMe.txt' are dropped while the desktop background of the infected system is also replaced. All of these components contain a message similar to the following:

Meanwhile, there are a few indicators of a possible association between Jaff and the infamous Locky ransomware. For starters, both Jaff and Locky are spread by the Necurs botnet. Additionally, The Tor-based payment sites for both families resemble each other:


While the code behind Jaff is less sophisticated than Locky's, it attempts to delete itself if the local language of the machine is 'LANG_RUSSIAN' (0x19). Locky is known to implement a similar filtering:

Finally, Jaff attempts to connect to the C2 server fkksjobnn43[.]org which is hardcoded in its code. This is a known Locky domain.

Protection statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Jaff variants are prevented from being downloaded.
Stage 6 (Call Home) - Attempts by Jaff to contact its C&C server are blocked.


It's easy to be dismissive of broad-reach email campaigns such as this and focus on the more 'glamorous' world of spearphishing. The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point is the weak point: by potentially reaching so many people, campaigns such as this can - and do - succeed in infecting people.

This broad scope, coupled with low antivirus detection rates at the time of the campaign, once again highlights the necessity of defence-in-depth.

At the time of writing it is unclear if Jaff's links with Locky extend beyond the visual structure of the URLs and documents employed. What is clear, given the volume of messages sent, is that the actors behind the campaign have expended significant resources on making such a grand entrance. With the high ransom value suggesting the perpetrators of this campaign intend to recoup their costs, it would be surprising if Jaff fades from the limelight as suddenly.

Indicators of Compromise


SHA256  5722daf5c0b91363808d46a2c5b93a8f70f0dadd94866148d1d77975ba04d211
SHA1    f98a35ab5f9fa47a49db5535b654cebb5bc99bf5
Jaff ransomware
SHA256  0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f
SHA1    8ab568db2bc914e3e6af048666eb0bc4ba2e414d

Download URLs


Targeted file extensions

.xlsx .acd .pdf .pfx .crt .der .cad .dwg .MPEG .rar .veg .zip .txt .jpg .doc .wbk .mdb .vcf .docx .ics .vsc .mdf .dsr .mdi .msg .xls .ppt .pps .obd .mpd .dot .xlt .pot .obt .htm .html .mix .pub .vsd .png .ico .rtf .odt .3dm .3ds .dxf .max .obj .7z .cbr .deb .gz .rpm .sitx .tar .tar.gz .zipx .aif .iff .m3u .m4a .mid .key .vib .stl .psd .ova .xmod .wda .prn .zpf .swm .xml .xlsm .par .tib .waw .001 .002 003. .004 .005 .006 .007 .008 .009 .010 .contact .dbx .jnt .mapimail .oab .ods .ppsm .pptm .prf .pst .wab .1cd .3g2 .7ZIP .accdb .aoi .asf .asp. aspx .asx .avi .bak .cer .cfg .class .config .css .csv .db .dds .fif .flv .idx .js .kwm .laccdb .idf .lit .mbx .md .mlb .mov .mp3 .mp4 .mpg .pages .php .pwm .rm .safe .sav .save .sql .srt .swf .thm .vob .wav .wma .wmv .xlsb .aac .ai .arw .c .cdr .cls .cpi .cpp .cs .db3 .docm .dotm .dotx .drw .dxb .eps .fla .flac .fxg .java .m .m4v .pcd .pct .pl .potm .potx .ppam .ppsx .ps .pspimage .r3d .rw2 .sldm .sldx .svg .tga .wps .xla .xlam .xlm .xltm .xltx .xlw .act .adp .al .bkp .blend .cdf .cdx .cgm .cr2 .dac .dbf .dcr .ddd .design .dtd .fdb .fff .fpx .h .iif .indd .jpeg .mos .nd .nsd .nsf .nsg .nsh .odc .odp .oil .pas .pat .pef .ptx .qbb .qbm .sas7bdat .say .st4 .st6 .stc .sxc .sxw .tlg .wad .xlk .aiff .bin .bmp .cmt .dat .dit .edb .flvv .gif .groups .hdd .hpp .log .m2ts .m4p .mkv .ndf .nvram .ogg .ost .pab .pdb .pif .qed .qcow .qcow2 .rvt .st7 .stm .vbox .vdi .vhd .vhdx .vmdk .vmsd .vmx .vmxf .3fr .3pr .ab4 .accde .accdt .ach .acr .adb .srw .st5 .st8 .std .sti .stw .stx .sxd .sxg .sxi .sxm .tex .wallet .wb2 .wpd .x11 .x3f .xis .ycbcra .qbw .qbx .qby .raf .rat .raw .rdb rwl .rwz .s3db .sd0 .sda .sdf .sqlite .sqlite3 .sqlitedb .sr .srf .oth .otp .ots .ott .p12 .p7b .p7c .pdd .pem .plus_muhd .plc .pptx .psafe3 .py .qba .qbr.myd .ndd .nef .nk .nop .nrw .ns2 .ns3 .ns4 .nwb .nx2 .nxl .nyf .odb .odf .odg .odm .ord .otg .ibz .iiq .incpas .jpe .kc2 .kdbx .kdc .kpdx .lua .mdc .mef .mfw .mmw .mny .moneywell .mrw.des .dgc .djvu .dng .drf .dxg .eml .erbsql .erd .exf .ffd .fh .fhd .gray .grey .gry .hbk .ibank .ibd .cdr4 .cdr5 .cdr6 .cdrw .ce1 .ce2 .cib .craw .crw .csh .csl .db_journal .dc2 .dcs .ddoc .ddrw .ads .agdl .ait .apj .asm .awg .back .backup .backupdb .bank .bay .bdb .bgt .bik .bpw .cdr3 .as4

Note: This page was edited on 11-May-2017 to correct an error in a mentioned C2 URL.

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.