The latest threat in the ransomware family is Jaff ransomware infecting the computers worldwide. Jaff Ransomware made its debut with large sets of phishing emails on May 11, 2017 – just one day before the sensational impact of the WannaCry ransomware attack. The phishing emails used to deliver the Jaff Ransomware had various subject lines implying that a receipt, scanned document, or report was attached to the email. But the good news is that Kaspersky Labs was able to develop a ransomware decryption tool on 17th June 2017 which will help users worldwide to clean this ransonware from their computers.
Jaff ransomware is a crypto-malware, the virus targets at least 423 file types and encrypt them with sophisticated ciphers. Jaff stood out because it was being distributed by the Necurs botnet and was using a similar ransom page design as Locky. During this process, the virus adds either. jaff, .wlu or .sVn file extension after the original file extension. Once files are encrypted, Jaff Decryptor System creates three files (“ReadMe.bmp” [also set as the desktop wallpaper], “ReadMe.txt”, and “ReadMe.html”), placing them each in a separate folder containing encrypted. The three files contain identical messages stating that files are encrypted and that the victim must pay a ransom to download a decryption tool and get rid of these locked files.
How does this ransomware look like?
Jaff ransomware caught attention because it is being spread via the Necurs botnet, which spread before as a ransomware such as Locky, and already having a large number of submissions to ID-Ransomware. Jaff is written in C language and is packed using a custom malware obfuscator. Obfuscators are method that are used by malware creators to hide malware underneath potentially multiple layers of encryption and compression in order to make their analysis more difficult. Jaff uses a mix of RSA and AES to encrypt the user’s data. Jaff encrypted victims’ files using the JAFF extension and demanded 2.036 Bitcoins (or roughly $3,726 in ransom), it’s now shifted to the WLU extension and asked Duncan’s machine for only 0.35630347 Bitcoins (around $833.50).
How did this Ransomware get in my PC?
Caution must be taken when opening files received from suspicious emails, and when downloading software from unofficial sources. Listed any of the below reason can be the reason for this infiltration
- Employ spam emails (infectious attachments)
- Peer-to-peer networks (torrents, eMule, etc.)
- Third party software download sources (freeware downloads websites, free file hosting websites, etc.)
- Fake software update tools, and trojans.
Malicious behavior once the PC is Infected?
- Once you click on any Jaff Ransomware infected files, it infects the computer, then the virus connects to the hosts and downloads the payload on the compromised computer.
- The virus is coded in the “C” programming language and aims to create multiple Windows registries in the Registry Editor of Windows.
- Registry strings are created with the suspected files to launch Windows processes as administrator and perform its malicious activity.
Tips to Prevent:
- Enable your popup blocker: Pop-ups and ads in the websites are the most adoptable tactic used by cyber criminals or developers with the core intension to spread malicious programs like Jaff Ransomware. So, avoid clicking uncertain sites, software offers, pop-ups etc.
- Keep your Windows Updated:To avoid such infections, we recommend that you should always keep your system updated through automatic windows update. By doing this you can keep your device free from virus. According to survey, outdated/older versions of windows operating system are an easy target.
- Third party installation:Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Back up: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection. Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like McAfee or a good Malware Removal Tool like Malware Crusher. Apart from this we would suggest a regular updating of these software to detect and avoid latest infections.