Starting on May 11, 2017, Flashpoint analysts observed several large spam campaigns originating from the Necurs botnet that aim to dupe recipients into opening malicious attachments that infect their computers with “Jaff” ransomware. These spam campaigns feature a multi-stage infection chain including a PDF file, a malicious Microsoft Office document, and finally, the Jaff ransomware loader. This same infection chain has been utilized in the past to infect computers with the Dridex banking Trojan and Jaff’s predecessor, Locky ransomware.
Image 1: The Necurs-Jaff delivery chain reveals heavy usage of PDF attachments.
The Necurs botnet is comprised of smaller “sub-botnets” distinguishable by the seed value used in the malware’s code for domain generation algorithm (DGA). Although these sub-botnets send different kinds of spam when compared to one another, they all share the same command-and-control (C2) infrastructure. Flashpoint has thus far observed Jaff ransomware emanate from the spam module with a DGA seed of nine.
Prior to a spam run, the node infected with the Necurs malware will first perform a series of checks to ensure it is capable of sending spam. The infected node first receives an updated list of C2 IP addresses for the spam module before it verifies Internet connectivity by downloading Service Pack 1 for Windows 7. Once these checks pass, the bot will do a final connectivity check for Simple Mail Transfer Protocol (SMTP; TCP Port 25) as depicted in the following packet capture:
Image 2: Packet capture of connectivity checks and spam from a Necurs bot.
Image 3: Malspam with fake headers sent from the Necurs botnet contains a malicious PDF attachment.
Image 4: Victims may be prompted to open a malicious Office document when viewing the PDF spam attachment.
Image 5: The encoded Office document in one of the PDF sections.
Image 6: The Word document that is opened by the PDF file.
Image 7: The hardcoded XOR key used to decode the ransomware loader executable.
The Jaff ransomware is a 32-bit Windows executable, containing the malicious obfuscated code. Jaff explicitly targets Windows systems, enumerating the targets’ local file system by searching for specific file extensions to encrypt. Files that have been encrypted are renamed appending the extension .wlu or .jaff. Such extensions are typical for this ransomware. The victim obtains a unique Jaff ID on the Tor website.
The Jaff ransomware sets encryption messages localized to the language detected in the system. Just like its previous variant Locky, this ransomware renders and saves bitmap files in each directory with the encrypted files. The bitmap file is used as a wallpaper displaying the ransom message.
Images 8-10: The Jaff ransomware attack reveals encryption and its personalized HTML and Bitmap files after the infection.
Jaff enumerates through the GetDrive API from letters A to Z for various types of local drives such as fixed, storage, and removable.
Jaff ransomware is designed to encrypt files even if the C2 check in fails. However, based on the most current assessment, Jaff ransomware sends a GET request to the Jaff domain ending in /a5 leading to the possible Snort signature:
alert any $HOME_NET any -> any any (msg:” possible Jaff C2 check-in alert”; content: flow:to_server,established; content:”GET”; “/a5/”; nocase; http_method; “pcre: “*(\/a5\/)$”; classtype: Trojan-activity)
Image 11: The Jaff ransomware enumerates drives from A to Z before launching its encryption threads.
Based on analysis of the ransomware code, it is apparent Jaff uses both RSA and AES encryption algorithms using Windows Crypto API. The ransomware encrypts files by appending approximately 100 bytes to each file using a WriteFile Windows API call to each file fitting the target extension.
Image 12: Jaff sets the nBytestoWrite argument via appending the encryption blog to each file.
The Jaff ransomware is designed not to run under certain conditions. This mechanism can be imitated, leading to the creation of a mitigation strategy that can be used on machines before infection.
Image 13: Jaff checks for the presence of Russian-language locale on each machine.
The API calls GetSystemDefaultLangID and GetUserDefaultLangID return 0x0409 in the EXTENDED ACUMULATOR REGISTER (EAX) on any US English-language machines. In this sense, 0x0409 is the locale culture identifier (LCID) for the English (United States) locale. However, the Jaff ransomware loads the return value into AX and compares it to the hardcoded value “19,” which is the AX identifier for the same calls if the language was set to Russian.
Below is the relevant disassembled routine that is used to check if the ransomware targets Russian-language machines:
mov edx, 3ff
and ax, dx
cmp ax, 19
mov edx, 3ff
and ax, dx
cmp ax, 19
Image 14: The Jaff ransomware checks for the hardcoded value 19 that corresponds to the last two characters of the Russian-language LCID.
Image 15: The Jaff ransomware targets various file extensions and deletes itself via a cmd[.]exe command.
Additionally, when successfully launched, the Jaff ransomware uses a simple self-kill routine by executing the command “del /Q /F <path to Jaff ransomware>” via cmd[.]exe /c in order to delete the original ransomware executable from the victim machine.
The following file extensions are attacked by the Jaff ransomware:
.xlsx .acd .pdf .pfx .crt .der .cad .dwg .MPEG .rar .veg .zip .txt .jpg .doc .wbk .mdb .vcf .docx .ics .vsc .mdf .dsr .mdi .msg .xls .ppt .pps .obd .mpd .dot .xlt .pot .obt .htm .html .mix .pub .vsd .png .ico .rtf .odt .3dm .3ds .dxf .max .obj 7z .cbr .deb .gz .rpm .sitx .tar .tar .gz .zipx .aif .iff .m3u .m4a .mid .key .vib .stl .psd .ova .xmod .wda .prn .zpf .swm .xml .xlsm .par .tib .waw .001 .002 .003 . .004 .005 .006 .007 .008 .009 .010 .contact .dbx .jnt .mapimail .oab .ods .ppsm .pptm .prf .pst .wab .1cd .3g2 .7ZIP .accdb .aoi .asf .asp .aspx .asx .avi .bak .cer .cfg .class .config .css .csv .db .dds .fif .flv .idx .js .kwm .laccdb .idf .lit .mbx .md .mlb .mov .mp3 .mp4 .mpg .pages .php .pwm .rm .safe .sav .save .sql .srt .swf .thm .vob .wav .wma .wmv .xlsb .aac .ai .arw .c .cdr .cls .cpi .cpp .cs .db3 .docm .dotm .dotx .drw .dxb .eps .fla .flac .fxg .java .m .m4v .pcd .pct .pl .potm .potx .ppam .ppsx .ps .pspimage .r3d .rw2 .sldm .sldx .svg .tga .wps .xla .xlam .xlm .xltm .xltx .xlw .act .adp .al .bkp .blend .cdf .cdx .cgm .cr2 .dac .dbf .dcr .ddd .design .dtd .fdb .fff .fpx .h .iif .indd .jpeg .mos .nd .nsd .nsf .nsg .nsh .odc .odp .oil .pas .pat .pef .ptx .qbb .qbm .sas7bdat .say .st4 .st6 .stc .sxc .sxw .tlg .wad .xlk .aiff .bin .bmp .cmt .dat .dit .edb .flvv .gif .groups .hdd .hpp .log .m2ts .m4p .mkv .ndf .nvram .ogg .ost .pab .pdb .pif .qed .qcow .qcow2 .rvt .st7 .stm .vbox .vdi .vhd .vhdx .vmdk .vmsd .vmx .vmxf .3fr .3pr .ab4 .accde .accdt .ach .acr .adb .srw .st5 .st8 .std .sti .stw .stx .sxd .sxg .sxi .sxm .tex .wallet .wb2 .wpd .x11 .x3f .xis .ycbcra .qbw .qbx .qby .raf .rat .raw .rdb .rwl .rwz .s3db .sd0 .sda .sdf .sqlite .sqlite3 .sqlitedb .sr .srf .oth .otp .ots .ott .p12 .p7b .p7c .pdd .pem .plus_muhd .plc .pptx .psafe3 .py .qba .qbr .myd .ndd .nef .nk .nop .nrw .ns2 .ns3 .ns4 .nwb .nx2 .nxl .nyf .odb .odf .odg .odm .ord .otg .ibz .iiq .incpas .jpe .kc2 .kdbx .kdc .kpdx .lua .mdc .mef .mfw .mmw .mny .moneywell .mrw .des .dgc .djvu .dng .drf .dxg .eml .erbsql .erd .exf .ffd .fh .fhd .gray .grey .gry .hbk .ibank .ibd .cdr4 .cdr5 .cdr6 .cdrw .ce1 .ce2 .cib .craw .crw .csh .csl .db_journal .dc2 .dcs .ddoc .ddrw .ads .agdl .ait .apj .asm .awg .back .backup .backupdb .bank .bay .bdb .bgt .bik .bpw .cdr3 .as4 .tif .asp .hdr .iso.
Images 16-17: Jaff ransomware victim payment page and admin panel on the Tor hidden website.
Flashpoint analysts continue to monitor the cybercriminal syndicate behind Jaff ransomware. These actors utilize the Necurs rootkit infections as a spam bot to deliver email spam with malicious attachments. Flashpoint assesses with moderate confidence that the threat actors who once favored Locky have now likely switched to using Jaff ransomware.
This Jaff syndicate remains one of the most active cybercriminal groups within the cybercrime landscape. Virtually every Russian-language cybercrime gang has an informal rule prohibiting the discussion of criminal activity directed against Russian nationals and other residents of the Commonwealth of Independent States (CIS) in order to avoid being targeted by Russian law enforcement. With the influx of press releases from Russian law enforcement about the arrest of major cybercrime gangs, security concerns remain a constant variable in the calculation of risk on the part of Russian-speaking cybercriminals. The Jaff actors also continue to avoid targeting any Russian-language victims via specific Windows API queries. This further supports the hypothesis that cybercriminals utilizing Jaff likely operate in a Russian-speaking country.
One possible Jaff ransomware mitigation strategy involves changing the machine’s language to Russian. One of the steps the ransomware takes is checking the language on the machine via the GetSystemDefaultLangID and GetUserDefaultLangID API. If Jaff detects that the language on the machine is set to Russian, it automatically terminates itself.
Organizations should continue to proactively collect indicators of compromise (IOCs) relevant to ongoing ransomware campaigns, as some variants, such as Jaff, continue to progress dynamically by leveraging discovered IOCs for counter-defensive procedures. As ransomware threats continue to evolve, it is crucial to develop and maintain good security hygiene, including robust patch and vulnerability management, data encryption, data backups, and vigorous user-access management controls.
Attachments & Downloads
To download the Jaff Ransomware indicators of compromise (IOCs), please click here.