<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><img src="https://info.threatstop.com/hubfs/Jaff.jpg" alt="Jaff" style="display: block; margin-left: auto; margin-right: auto;"> Jaff ransomware is very similar to other "standard" ransomware in its use of AES encryption to encrypt its victim's files. It’s <a href="https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart">attributed</a> to the creators of Dridex, Locky and Bart, and has been spreading in high volume through the Necurs botnet.<!--more--> <p>Similar to many other ransomware campaigns, Jaff is spread through spam emails pretending to be invoices, scanned files, or generic documents. These emails contain attached PDFs that urge the victim to open another attached Microsoft Word document. If the victim follows through, they are then presented with a screen asking them to enable macros on the document in order to view the content.</p> <p>Upon enabling macros, a Visual Basic for Applications (VBA) macro will run that downloads and executes the ransomware, which will then begin encrypting the victim's files and <a href="https://www.bleepingcomputer.com/news/security/jaff-ransomware-switches-to-the-wlu-extension-and-gets-a-new-design/">appends</a> a <strong>.jaff</strong> or <strong>.wlu</strong> file extension.</p> <p>It was also discovered by researchers at Heimdal Security that it <a href="https://heimdalsecurity.com/blog/jaff-ransomware-operation-cyber-crime-marketplace/">shares infrastructure with a large cybercrime store</a>. This store sells access to tens of thousands of compromised bank accounts and credit cards, as well as account credentials to websites such as Paypal and Amazon.</p> <p>The large amount of compromised bank accounts for sale highlights the growing trend of cybercriminals not only targeting a user’s files to ransom, but also a user’s credentials in order to sell. Even if a user is able to restore their files from a backup, their account credentials could have already been stolen and sent to the cybercriminals running the operation.</p> <p>A weakness, <a href="https://threatpost.com/decryption-utility-unlocks-files-encrypted-by-jaff-ransomware/126276/">recently discovered</a> by <a href="https://noransom.kaspersky.com/">Kaspersky Labs</a>, in Jaff’s code has led to the creation of decryption keys for locked files for known variants. Victims should grab the <a href="http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip">RakhniDecryptor</a> (1.21.2.1 as of this writing) and attempt to unlock their files. While ThreatSTOP users are protected, those users that may have been affected – by a device not on their secured network during infection – can use this utility to decrypt their files.</p> <p>Enabling the <strong>TSCritical</strong> targets in your user policy will add protection against <a href="https://blog.threatstop.com/bi-weekly-security-update-6/9/2017">Jaff</a> to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account&nbsp; for a free trial.</p> <p>If you do have a ThreatSTOP account, instructions to add targets to <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy" target="_blank">DNS</a> or <a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall" target="_blank">IP</a> Firewall policies are available on the ThreatSTOP Documentation Hub, or contact our&nbsp; team.</p></span>