Similar to many other ransomware campaigns, Jaff is spread through spam emails pretending to be invoices, scanned files, or generic documents. These emails contain attached PDFs that urge the victim to open another attached Microsoft Word document. If the victim follows through, they are then presented with a screen asking them to enable macros on the document in order to view the content.
Upon enabling macros, a Visual Basic for Applications (VBA) macro will run that downloads and executes the ransomware, which will then begin encrypting the victim's files and appends a .jaff or .wlu file extension.
It was also discovered by researchers at Heimdal Security that it shares infrastructure with a large cybercrime store. This store sells access to tens of thousands of compromised bank accounts and credit cards, as well as account credentials to websites such as Paypal and Amazon.
The large amount of compromised bank accounts for sale highlights the growing trend of cybercriminals not only targeting a user’s files to ransom, but also a user’s credentials in order to sell. Even if a user is able to restore their files from a backup, their account credentials could have already been stolen and sent to the cybercriminals running the operation.
A weakness, recently discovered by Kaspersky Labs, in Jaff’s code has led to the creation of decryption keys for locked files for known variants. Victims should grab the RakhniDecryptor (1.21.2.1 as of this writing) and attempt to unlock their files. While ThreatSTOP users are protected, those users that may have been affected – by a device not on their secured network during infection – can use this utility to decrypt their files.
Enabling the TSCritical targets in your user policy will add protection against Jaff to your ThreatSTOP DNS and IP Firewall Services. If you do not have a ThreatSTOP account
If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Firewall policies are available on the ThreatSTOP Documentation Hub, or contact our