Cyren : Locky 2? Jaff Ransomware Launched from Necurs Botnet

Despite WannaCrypt grabbing all the headlines, it is far from being the only ransomware in circulation. A second wave of Jaff ransomware is now being distributed by the stealthy Necurs botnet. Starting on Wednesday last week, the Necurs botnet has been harnessed to distribute a new Locky-style email campaign. Cyren saw and blocked about 50 million emails in less than 24 hours in the first wave. Six hours into the second wave of attack, 7 million emails have been blocked.

There are signs that the same group responsible for Locky and Dridex are also at work here. Because of Necurs' size and stealth, we predict that this attack campaign will be persistent and large-scale.

What is the difference between WannaCrypt and Jaff?

In both WannaCrypt and Jaff the criminal motives are the same, extorting victims for money by holding files for ransom. However, while keeping your operating system up-to-date with the latest security patches may get you out of being infected by WannaCrypt, there is no guarantee of such protection in most ransomware campaigns. The vulnerability Jaff exploits is the human factor, and user action is always required for the attack to work.

Compared to other ransomware campaigns, Jaff is asking an unusually high ransom payment, approximately $3,800 per infection. The highly profiled WannaCrypt asks for $300, increasing to $600 if the ransom has not been paid after a week.

How does Jaff work?

Jaff is distributed with an email campaign sent from the Necurs botnet. Typically, such emails contain a message body designed to trick the user into opening the attachment, but here Jaff differs. The email contains only an attachment and the message body just has the name of the attachment. In the first attack, the emails had names like Document_[random number].pdf and Scan_[random number].pdf. The current one mainly uses attachment names with only numbers.

The attached PDF has an embedded docm file - a document file containing a macro. Depending on the version of Adobe, the document will either prompt the user to open the embedded doc, or it will automatically launch MS Word. Once opened, the user is prompted to enable editing and content.

Macro Downloads Ransomware

After being enabled, the macro downloads the Jaff ransomware executable file from one of a list of hardcoded URLs as seen in the picture below, in this specific case djkammerthal[.]de/hHGFjd. The downloaded binary is decrypted by the macro, installed and executed.

First, the program connects to a C&C server to let the attackers know of a new infection.

{

[...]

'method': 'GET',

'host': 'h552terriddows[.]com', 'uri': '/a5/',

[...]

'status_code': '201', 'status_msg': 'Created',

}

Excerpt from the C&C check-in.

File Formats Encrypted

After check-in, the encryption of files on the victim computer starts. Encryption using RSA-2048 key (AES CBC 256-bit encryption algorithm) is used and a .jaff extension is appended to the encrypted files. The following file formats are encrypted:

xlsx .acd .pdf .pfx .crt .der .cad .dwg .MPEG .rar .veg .zip .txt .jpg .doc .wbk .mdb .vcf .docx .ics .vsc .mdf .dsr .mdi .msg .xls .ppt .pps .obd .mpd .dot .xlt .pot .obt .htm .html .mix .pub .vsd .png .ico .rtf .odt .3dm .3ds .dxf .max .obj .7z .cbr .deb .gz .rpm .sitx .tar .tar.gz .zipx .aif .iff .m3u .m4a .mid .key .vib .stl .psd .ova .xmod .wda .prn .zpf .swm .xml .xlsm .par .tib .waw .001 .002 .003 .004 .005 .006 .007 .008 .009 .010 .contact .dbx .jnt .mapimail .oab .ods .ppsm .pptm .prf .pst .wab .1cd .3g2 .7ZIP .accdb .aoi .asf .asp. aspx .asx .avi .bak .cer .cfg .class .config .css .csv .db .dds .fif .flv .idx .js .kwm .laccdb .idf .lit .mbx .md .mlb .mov .mp3 .mp4 .mpg .pages .php .pwm .rm .safe .sav .save .sql .srt .swf .thm .vob .wav .wma .wmv .xlsb .aac .ai .arw .c .cdr .cls .cpi .cpp .cs .db3 .docm .dotm .dotx .drw .dxb .eps .fla .flac .fxg .java .m .m4v .pcd .pct .pl .potm .potx .ppam .ppsx .ps .pspimage .r3d .rw2 .sldm .sldx .svg .tga .wps .xla .xlam .xlm .xltm .xltx .xlw .act .adp .al .bkp .blend .cdf .cdx .cgm .cr2 .dac .dbf .dcr .ddd .design .dtd .fdb .fff .fpx .h .iif .indd .jpeg .mos .nd .nsd .nsf .nsg .nsh .odc .odp .oil .pas .pat .pef .ptx .qbb .qbm .sas7bdat .say .st4 .st6 .stc .sxc .sxw .tlg .wad .xlk .aiff .bin .bmp .cmt .dat .dit .edb .flvv .gif .groups .hdd .hpp .log .m2ts .m4p .mkv .ndf .nvram .ogg .ost .pab .pdb .pif .qed .qcow .qcow2 .rvt .st7 .stm .vbox .vdi .vhd .vhdx .vmdk .vmsd .vmx .vmxf .3fr .3pr .ab4 .accde .accdt .ach .acr .adb .srw .st5 .st8 .std .sti .stw .stx .sxd .sxg .sxi .sxm .tex .wallet .wb2 .wpd .x11 .x3f .xis .ycbcra .qbw .qbx .qby .raf .rat .raw .rdb rwl .rwz .s3db .sd0 .sda .sdf .sqlite .sqlite3 .sqlitedb .sr .srf .oth .otp .ots .ott .p12 .p7b .p7c .pdd .pem .plus_muhd .plc .pptx .psafe3 .py .qba .qbr.myd .ndd .nef .nk .nop .nrw .ns2 .ns3 .ns4 .nwb .nx2 .nxl .nyf .odb .odf .odg .odm .ord .otg .ibz .iiq .incpas .jpe .kc2 .kdbx .kdc .kpdx .lua .mdc .mef .mfw .mmw .mny .moneywell .mrw.des .dgc .djvu .dng .drf .dxg .eml .erbsql .erd .exf .ffd .fh .fhd .gray .grey .gry .hbk .ibank .ibd .cdr4 .cdr5 .cdr6 .cdrw .ce1 .ce2 .cib .craw .crw .csh .csl .db_journal .dc2 .dcs .ddoc .ddrw .ads .agdl .ait .apj .asm .awg .back .backup .backupdb .bank .bay .bdb .bgt .bik .bpw .cdr3 .as4

The picture above shows a folder after encryption of files. The two Readme.bmp and Readme.html files give instructions on how the victim can pay the ransom to decrypt the files.

Payment Demand!

Opening one of these reveals the instructions for paying the ransom. The note is also left on the desktop.

Samples Used in this Analysis

PDF attachment = sha256: edf33d5a18395b62d8ad81e6792d074e5c6e74fc21e0c23bdc6f11a0caaeb2a6

Malicious macro document = sha256:dc0cb56ed4b47f1b5269da19472fef37e27d6f18a40d82785e13727818960633

Ransomware executable = sha256:41bce3e382cee06aa65fbee15fd38f7187fb090d5da78d868f57c84197689287

Examples of Jaff download URLs:

5hdnnd74fffrottd[.]com/af/hHGFjd

bianshop[.]com/hHGFjd

bizcleaning[.]co[.]uk/hHGFjd

boolas[.]com/hHGFjd

byydei74fg43ff4f[.]net/af/hHGFjd

dcfarbicka[.]sk/hHGFjd

diasgroup[.]sk/hHGFjd

djkammerthal[.]de/hHGFjd

dovahosting[.]com/hHGFjd

dsintergrated[.]com/hHGFjd

ecbuyjp[.]com/hHGFjd

ecuamiaflowers[.]com/hHGFjd

energybalancecenter[.]nl/hHGFjd

fotografikum[.]com/hHGFjd

hncdc[.]org/hHGFjd

hrlpk[.]com/hHGFjd

oyasinsaat[.]com[.]tr/hHGFjd

phoicanh3d[.]com/hHGFjd

ppapmoozamiz[.]com/hHGFjd

rooana[.]com/hHGFjd

sjffonrvcik45bd[.]info/af/hHGFjd

tutmacli[.]com/hHGFjd

urachart[.]com/hHGFjd

vasroc[.]pt/hHGFjd

vbplan[.]de/hHGFjd