'Jaff' enters the ransomware scene, Locky-style
Please note: this post is not related to the global WannaCry outbreak on Friday 12 May 2017. For ongoing updates on WannaCry, please see our related blog post.
Forcepoint Security Labs have observed today a major malicious email campaign from the Necurs botnet spreading a new ransomware which appears to call itself 'Jaff', peaking within our telemetry at nearly 5m emails per hour. The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point of interaction with systems is the most vulnerable: by potentially reaching so many individuals, campaigns such as this can - and do - succeed in infecting people. Add to this a ransom of 1.79 Bitcoins (approximately $3,300 at the time of the campaign) and the potential 'value' of the campaign is significant.
Analysis
The campaign started just before 09:00 BST and had largely peaked by 13:00 BST. During this short period, over 13 million emails were recorded and blocked by our systems. The graph below shows the hourly volumes recorded:
The campaign has a global scope: the graph below shows the top 20 recipient TLDs recorded within our telemetry. Perhaps unsurprisingly, .com domains make up the majority of the recipients recorded. However, organisations in Ireland, Israel, Belgium, the Netherlands, Italy, Germany, France, Mexico, and Australia also received a significant volume of malicious email during this campaign. Further down the list, TLDs for countries such as Sri Lanka, Peru, and Costa Rica were recorded highlighting the breadth of this campaign.
The campaign theme is a fake document with the following email subject format:
PDF_{four or more digits}
Scan_{four or more digits}
File_{four or more digits}
Copy_{four or more digits}
Document_{four or more digits}
Receipt to print
A screenshot of one of the malicious emails is shown below:
The attached PDF contains an embedded DOCM file with a malicious Macro script. This script will then download and execute the Jaff ransomware.
Possible ties with Locky
Jaff targets 423 file extensions. A complete list of these is provided at the end of this blog. It is capable of offline encryption without dependency on a command and control server. Once a file is encrypted, the '.jaff' file extension is appended.
In every affected folder, the ransom notes 'ReadMe.bmp', 'ReadMe.html' and 'ReadMe.txt' are dropped while the desktop background of the infected system is also replaced. All of these components contain a message similar to the following:
Meanwhile, there are a few indicators of a possible association between Jaff and the infamous Locky ransomware. For starters, both Jaff and Locky are spread by the Necurs botnet. Additionally, The Tor-based payment sites for both families resemble each other:
While the code behind Jaff is less sophisticated than Locky's, it attempts to delete itself if the local language of the machine is 'LANG_RUSSIAN' (0x19). Locky is known to implement a similar filtering:
Finally, Jaff attempts to connect to the C2 server fkksjobnn43[.]org which is hardcoded in its code. This is a known Locky domain.
Protection statement
Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:
Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
Stage 5 (Dropper File) - Jaff variants are prevented from being downloaded.
Stage 6 (Call Home) - Attempts by Jaff to contact its C&C server are blocked.
Conclusion
It's easy to be dismissive of broad-reach email campaigns such as this and focus on the more 'glamorous' world of spearphishing. The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point is the weak point: by potentially reaching so many people, campaigns such as this can - and do - succeed in infecting people.
This broad scope, coupled with low antivirus detection rates at the time of the campaign, once again highlights the necessity of defence-in-depth.
At the time of writing it is unclear if Jaff's links with Locky extend beyond the visual structure of the URLs and documents employed. What is clear, given the volume of messages sent, is that the actors behind the campaign have expended significant resources on making such a grand entrance. With the high ransom value suggesting the perpetrators of this campaign intend to recoup their costs, it would be surprising if Jaff fades from the limelight as suddenly.
Indicators of Compromise
Hashes
Nm.pdf SHA256 5722daf5c0b91363808d46a2c5b93a8f70f0dadd94866148d1d77975ba04d211 SHA1 f98a35ab5f9fa47a49db5535b654cebb5bc99bf5
Jaff ransomware SHA256 0746594fc3e49975d3d94bac8e80c0cdaa96d90ede3b271e6f372f55b20bac2f SHA1 8ab568db2bc914e3e6af048666eb0bc4ba2e414d
Download URLs
hxxp://takanashi[.]jp/f87346b hxxp://babil117[.]com/f87346b hxxp://easysupport[.]us/f87346b hxxp://julian-g[.]ro/f87346b hxxp://phinamco[.]com/f87346b hxxp://techno-kar[.]ru/f87346b hxxp://tiskr[.]com/f87346b hxxp://trans-atm[.]com/f87346b hxxp://trialinsider[.]com/f87346b hxxp://wipersdirect[.]com/f87346b
Targeted file extensions
.xlsx .acd .pdf .pfx .crt .der .cad .dwg .MPEG .rar .veg .zip .txt .jpg .doc .wbk .mdb .vcf .docx .ics .vsc .mdf .dsr .mdi .msg .xls .ppt .pps .obd .mpd .dot .xlt .pot .obt .htm .html .mix .pub .vsd .png .ico .rtf .odt .3dm .3ds .dxf .max .obj .7z .cbr .deb .gz .rpm .sitx .tar .tar.gz .zipx .aif .iff .m3u .m4a .mid .key .vib .stl .psd .ova .xmod .wda .prn .zpf .swm .xml .xlsm .par .tib .waw .001 .002 003. .004 .005 .006 .007 .008 .009 .010 .contact .dbx .jnt .mapimail .oab .ods .ppsm .pptm .prf .pst .wab .1cd .3g2 .7ZIP .accdb .aoi .asf .asp. aspx .asx .avi .bak .cer .cfg .class .config .css .csv .db .dds .fif .flv .idx .js .kwm .laccdb .idf .lit .mbx .md .mlb .mov .mp3 .mp4 .mpg .pages .php .pwm .rm .safe .sav .save .sql .srt .swf .thm .vob .wav .wma .wmv .xlsb .aac .ai .arw .c .cdr .cls .cpi .cpp .cs .db3 .docm .dotm .dotx .drw .dxb .eps .fla .flac .fxg .java .m .m4v .pcd .pct .pl .potm .potx .ppam .ppsx .ps .pspimage .r3d .rw2 .sldm .sldx .svg .tga .wps .xla .xlam .xlm .xltm .xltx .xlw .act .adp .al .bkp .blend .cdf .cdx .cgm .cr2 .dac .dbf .dcr .ddd .design .dtd .fdb .fff .fpx .h .iif .indd .jpeg .mos .nd .nsd .nsf .nsg .nsh .odc .odp .oil .pas .pat .pef .ptx .qbb .qbm .sas7bdat .say .st4 .st6 .stc .sxc .sxw .tlg .wad .xlk .aiff .bin .bmp .cmt .dat .dit .edb .flvv .gif .groups .hdd .hpp .log .m2ts .m4p .mkv .ndf .nvram .ogg .ost .pab .pdb .pif .qed .qcow .qcow2 .rvt .st7 .stm .vbox .vdi .vhd .vhdx .vmdk .vmsd .vmx .vmxf .3fr .3pr .ab4 .accde .accdt .ach .acr .adb .srw .st5 .st8 .std .sti .stw .stx .sxd .sxg .sxi .sxm .tex .wallet .wb2 .wpd .x11 .x3f .xis .ycbcra .qbw .qbx .qby .raf .rat .raw .rdb rwl .rwz .s3db .sd0 .sda .sdf .sqlite .sqlite3 .sqlitedb .sr .srf .oth .otp .ots .ott .p12 .p7b .p7c .pdd .pem .plus_muhd .plc .pptx .psafe3 .py .qba .qbr.myd .ndd .nef .nk .nop .nrw .ns2 .ns3 .ns4 .nwb .nx2 .nxl .nyf .odb .odf .odg .odm .ord .otg .ibz .iiq .incpas .jpe .kc2 .kdbx .kdc .kpdx .lua .mdc .mef .mfw .mmw .mny .moneywell .mrw.des .dgc .djvu .dng .drf .dxg .eml .erbsql .erd .exf .ffd .fh .fhd .gray .grey .gry .hbk .ibank .ibd .cdr4 .cdr5 .cdr6 .cdrw .ce1 .ce2 .cib .craw .crw .csh .csl .db_journal .dc2 .dcs .ddoc .ddrw .ads .agdl .ait .apj .asm .awg .back .backup .backupdb .bank .bay .bdb .bgt .bik .bpw .cdr3 .as4
Note: This page was edited on 11-May-2017 to correct an error in a mentioned C2 URL.