New Ransomware 'Jaff' Spotted; Malware Groups Pushing 5M Emails Per Hour To Circulate It (theregister.co.uk)

← Back to Stories (view on slashdot.org)

New Ransomware 'Jaff' Spotted; Malware Groups Pushing 5M Emails Per Hour To Circulate It (theregister.co.uk)

Posted by msmash on Friday May 12, 2017 @04:40AM from the new-ransomware-in-town dept.

An anonymous reader writes: The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff". Jaff spreads in a similar way to the infamous file-encrypting malware Locky and even uses the same payment site template, but is nonetheless a different monster. Attached to dangerous emails is an infectious PDF containing an embedded DOCM file with a malicious macro script. This script will then download and execute the Jaff ransomware. Locky -- like Jaff -- also used the Necurs botnet and a booby-trapped PDF, security firm Malwarebytes notes. "This is where the comparison ends, since the code base is different as well as the ransom itself," said Jerome Segura, a security researcher at Malwarebytes. "Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing." Proofpoint reckons Jaff may be the work of the same cybercriminals behind Locky, Dridex and Bart (other nasty malware) but this remains unconfirmed. And Forcepoint Security Labs reports that malicious emails carrying Jaff are being cranked out at a rate of 5 million an hour on Thursday, or 13 million in total at the time it wrote up a blog post about the new threat.

58 comments

Min score:

Reason:

Sort:

probably .gov by Anonymous Coward · 2017-05-12 04:48 · Score: 0

And probably designed to give them an excuse to outlaw btc.
1. Re:probably .gov by Sassinak · 2017-05-12 06:05 · Score: 1
  
  And you think that would make it better?.. I mean your logic is they should ban all untraceable forms of currency including cash because they COULD be used to do nefarious things.
  Of course, governments do stupid things.. and people are easy to goad through fear. (aka: terrorisim)
  
  --
  God made the Idiot for practice, and then He made the School Board -- Mark Twain Look for http://Thebar.steelbeachca
Another horrific idea from Microsoft by Anonymous Coward · 2017-05-12 04:52 · Score: 0

Simply changing the name of a .docx file to .docm enables scripting?
1. Re:Another horrific idea from Microsoft by Darinbob · 2017-05-12 06:13 · Score: 3, Interesting
  
  It's for enhanced user experience. But yes, the stupidest idea from Microsoft ever was to allow scripting in documents, and not just basic scripting but scripts with tons of control over your computer. They should just go ask a 10 year old, "would this be a good idea?" and they'd be better off.
THIS is why we need a squad of anti-malware HITMEN by Anonymous Coward · 2017-05-12 04:57 · Score: 0

-nt-
Kickstart by Anonymous Coward · 2017-05-12 05:03 · Score: 0

I'll start a Kickstarter fund to raise money to hire some Blackwater mercenaries to go take these guys out - if I can.
Having problems running this in Linux by Anonymous Coward · 2017-05-12 05:03 · Score: 5, Funny

Does anyone know what settings I need in WINE to make this work in Linux? Getting sick of all these Windows-specific programs!
1. Re:Having problems running this in Linux by smooth+wombat · 2017-05-12 05:06 · Score: 4, Funny
  
  And that's the problem with Linux. You spend more time fiddling with settings to get something to work than you do getting work done
  
  --
  We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
2. Re:Having problems running this in Linux by Anonymous Coward · 2017-05-12 05:13 · Score: 1
  
  Well, I tried it on BSD and it wouldn't work there either. So much for portability - write once, debug everywhere...
3. Re:Having problems running this in Linux by fisted · 2017-05-12 05:17 · Score: 3, Interesting
  
  Yeah, but only once. Unlike in Windows, the settings don't tend to magically flip themselves back with "updates"
  
  --
  CLI paste? paste.pr0.tips!
4. Re:Having problems running this in Linux by goombah99 · 2017-05-12 05:46 · Score: 2
  
  The perfect ransom ware for a linux machine would be one that keeps all the files but changes the OS to windows XP then locks the boot firmware till you pay.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
5. Re:Having problems running this in Linux by Anonymous Coward · 2017-05-12 05:58 · Score: 0
  
  I think it's well understood by the people who create these things that someone who can't afford to buy Windows to start with isn't going to be paying the ransom. There's very little money to be made on Linux ransomware.
6. Re:Having problems running this in Linux by Penguinisto · 2017-05-12 06:22 · Score: 1
  
  ...as long as it isn't Windows 10 (or worse, Vista...)
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
7. Re:Having problems running this in Linux by FFOMelchior · 2017-05-12 06:33 · Score: 1
  
  And that's the problem with Linux. You spend more time fiddling with settings to get something to work than you do getting work done
  Only if you consider consider "not getting work done" a problem.
8. Re:Having problems running this in Linux by dbIII · 2017-05-12 12:24 · Score: 1
  
  Libreoffice in a rare exception.
  It keeps some of it's settings (eg. allowing or disallowing read/write access to network drives) in a script that gets replaced with every update instead of somewhere sensible.
And, This is Why... by CAOgdin · 2017-05-12 05:15 · Score: 4, Insightful

...I have 100% backups of every computer on my LAN, every night, stored to an external drive, one of three that I rotate among. The backups are automatic, concluded by shutting down the computer from which the backup was just copies to disk, every night. I have about a weeks' worth of backups on each disk, for each computer on the LAN, so I have about three weeks' worth of backups on hand. Rolling back is easy, and takes less than an hour.
I'll never understand how technologists--who claim they are professionals--can leave their own or others' computers unprotected by backups, automatically made ('cause if they're not automatic, they'll never get made).
Sure, anti-virus and malware detection is important, but my backups are the final defense against miscreants like those who create these malicious invasion methodologies.
1. Re:And, This is Why... by Zenin · 2017-05-12 05:26 · Score: 1
  
  So if you physically rotate the drives...how is that "automatic"?
  More importantly, keep in mind some of the ransomware running around is sneaky, running transparently for weeks or months to ensure that whatever backups are being made have rolled passed their maximum retention and all the new backups are actually encrypted. After a common retention period like 3 months, the malware pulls the plug...deleting the local encryption keep and throwing up a ransom note. "Oh, but I have week's worth of backups, I'm fine!"...until you realize all those backups are also encrypted...
  
  --
  My /. uid is better then your /. uid
2. Re:And, This is Why... by Zenin · 2017-05-12 05:27 · Score: 1
  
  s/encryption keep/encryption key *sigh*/
  
  --
  My /. uid is better then your /. uid
3. Re:And, This is Why... by silverhalide · 2017-05-12 05:35 · Score: 3, Insightful
  
  Ok, but why? Backing up individual PCs is a waste of time and resources in the high-speed network era.
  Train your users that it's 2017, workstations are disposable and may disappear at any given moment. If their shit isn't saved on the network NAS or in $CloudDriveProvider, it doesn't exist. Restoring should be just re-imaging a computer and signing back into relevant accounts.
  Windows has had seamless server file storage redirection for years, so you don't even really have to train them, just redirect My Documents and Desktop to the fileserver.
  Ditch MS office already. It's 2017 and there is absolutely no excuse for these types of vulnerabilities anymore. It doesn't do anything useful that Google Docs does, unless you consider spreading malware useful.
4. Re:And, This is Why... by Anonymous Coward · 2017-05-12 05:45 · Score: 0
  
  This is spreading by PDF how do you drag MS office into it?
5. Re: And, This is Why... by Anonymous Coward · 2017-05-12 05:46 · Score: 1
  
  Yeah great if you work for a tiny company, try the same with 100/1000/10000/100000 desktops...
6. Re:And, This is Why... by ctilsie242 · 2017-05-12 05:54 · Score: 2
  
  I am waiting for the generation of ransomware which installs a shim driver that transparantly encrypts documents, but allows the user to access them for a certain period time (so all backups in 30-90 days are useless), then at a date/time, purges the keys, and springs the trap.
  I would say that these days, I'd consider a much longer backup rotation with snapshots kept for years just in case.
  I also would look at a "pull" backup mechanism, a client that the server contacts. That way, unlike backing up to a share, the backup share could be destroyed.
7. Re:And, This is Why... by Anonymous Coward · 2017-05-12 05:58 · Score: 0
  
  There is also AppLocker, which stops this stuff cold. Amazing why more organizations don't use it.
8. Re:And, This is Why... by Zenin · 2017-05-12 05:58 · Score: 4, Insightful
  
  1) A LOT of workstations include not just data, but a lot of specific configuration. That's especially true of those used in the medical field where they're used to control equipment, but it's also very true for any user more advanced than an office drone. Simply re-imaging them won't get them anywhere remotely close to a functional state.
  2) Simply saving to network/cloud drive won't save you from ransomware; They'll simply encrypt every NAS/cloud storage the user has access to. Often it can greatly exacerbate the problem because if/when a server attached to that NAS gets infected...it can encrypt the entire company's data at a much, much faster rate than local PCs and doesn't need to infect all those individual machines or wait for them to be powered on. Cloud storage is even worse in this regard, because access keys can be jacked and the storage reached externally by bot clusters.
  Also, NAS is dead...long live hybrid solutions. Panzura, StorSimple, etc. Still, it requires massively upgraded networks, both LAN and WAN connectivity, to adequately replace local storage with remote for hundreds or thousands of users.
  A much more legitimate response would be something like AWS WorkSpaces, but again local machine controllers often won't be able to use those solutions.
  3) Who the hell uses My Documents? Despite MS pushing it for ages, real world usage shows almost everyone (especially non-power users) saving everything to their desktop.
  4) Ditch MS Office, haha that's funny. Clearly, you don't work in any company larger than a few dozen employees.
  
  --
  My /. uid is better then your /. uid
9. Re:And, This is Why... by Anonymous Coward · 2017-05-12 06:21 · Score: 0
  
  Ditch MS office already. It's 2017 and there is absolutely no excuse for these types of vulnerabilities anymore. It doesn't do anything useful that Google Docs does, unless you consider spreading malware useful.
  Does Google Docs allow you to manage your files and use Office-like features and interfaces offline, and without absolute reliance upon the cloud to perform the simplest of tasks within your company?
  Not every business in the world likes the idea of putting all of their precious eggs in the proverbial $CloudProvider basket that sits well beyond the physical and electronic confines of a locked building and firewalled VLANs. I agree there's no excuse for this kind of shit to be happening within Office docs, but the cloud isn't the end-all-be-all, and does in fact have limitations.
10. Re:And, This is Why... by mspohr · 2017-05-12 06:34 · Score: 1
  
  Does Google Docs allow you to manage your files and use Office-like features and interfaces offline, and without absolute reliance upon the cloud to perform the simplest of tasks within your company?
  Short answer: YES
  
  --
  I don't read your sig. Why are you reading mine?
11. Re:And, This is Why... by mspohr · 2017-05-12 06:36 · Score: 1
  
  Ditch MS Office
  Use Google Docs
  Workstations are disposable... just re-image and sign back in
  Sounds like a good prescription for Chromebooks
  
  --
  I don't read your sig. Why are you reading mine?
12. Re:And, This is Why... by Anonymous Coward · 2017-05-12 06:37 · Score: 0
  
  I think you meant "seamless." Funny how my "100% synced" H: drive shows to be empty 99% of the time.
13. Re:And, This is Why... by mspohr · 2017-05-12 06:38 · Score: 1
  
  It uses a wonderful feature of Windows called docm which allows scripts.
  If you go to TFA, you'll see this brilliant Windows software in action.
  
  --
  I don't read your sig. Why are you reading mine?
14. Re: And, This is Why... by mspohr · 2017-05-12 06:39 · Score: 1
  
  Throw out the desktops. Give everyone Chromebooks. No management issues.
  Just sign in and you're good to go.
  
  --
  I don't read your sig. Why are you reading mine?
15. Re:And, This is Why... by Anonymous Coward · 2017-05-12 06:58 · Score: 1
  
  backing up workstations? what the fuck for?
  you sound like a blow hard, and the whole comment is probably bullshit.
16. Re:And, This is Why... by fuzznutz · 2017-05-12 07:03 · Score: 1
  
  So if you physically rotate the drives...how is that "automatic"?
  More importantly, keep in mind some of the ransomware running around is sneaky, running transparently for weeks or months to ensure that whatever backups are being made have rolled passed their maximum retention and all the new backups are actually encrypted. After a common retention period like 3 months, the malware pulls the plug...deleting the local encryption keep and throwing up a ransom note. "Oh, but I have week's worth of backups, I'm fine!"...until you realize all those backups are also encrypted...
  Which is why I have URbackup running on my LAN backing up all the family computers. It shares no NFS or SMB folders to be infected or tampered with. I have a years worth of quarterly full backups and six months worth of daily incrementals which it stores very efficiently using hard links. It has Windows, Mac and Linux clients. I check it weekly to make sure I don't see a huge spike in incremental data saved which would indicate a ransomware event. The chronically lazy can get reports emailed.
  
  It won't help if the place burns down, but the very important files are duped periodically and stored offsite. These days I worry more about Locky than I do about fire, flood, or tornadoes, but then I have kids.
17. Re:And, This is Why... by Eeepeeep · 2017-05-12 07:27 · Score: 1
  
  Not sneaky but thorough. With TSM, we had one malware which went out and deleted the backup copies and another that touched all the files and ran backups multiple times to make sure the original data was gone. When lots of money is involved you should expect that developers will have taken backup strategies into account - they are usually one step ahead of you.
18. Re:And, This is Why... by Anonymous Coward · 2017-05-12 08:23 · Score: 0
  
  If the computers have write access to the drives, you'll get hosed eventually. Have a machine firewalled from the rest with read access to the machines in question that does the backups as pulls instead of pushes.
19. Re: And, This is Why... by Zenin · 2017-05-12 08:49 · Score: 1
  
  Serious question: Why do so many computer geeks actually believe every computer user 'lessor' than them doesn't use applications more specialized than a web browser?
  I'm sure that Chromebook will be great for updating your resume...after you're fired for crippling the company as practically no enterprise applications will run on those toys. Alternative applications are either non-existent, not nearly functional enough, too expensive, require costly retraining, or most often some combination of those faults.
  The reality is there are very, very few legitimate use cases for Chromebooks et al in most enterprise environments. At best as they could serve as a thin client for desktops hosted in the cloud (AWS Workspaces, etc), but that just pushes your desktop management problems into the cloud...it doesn't do much to actually solve or eliminate those desktop management needs.
  
  --
  My /. uid is better then your /. uid
20. Re:And, This is Why... by Anonymous Coward · 2017-05-12 08:53 · Score: 0
  
  Until you get hit with one that sits for a week or so before activating, at which point you've overwritten all your backups. Good Luck!
21. Re: And, This is Why... by mspohr · 2017-05-12 08:57 · Score: 1
  
  If an enterprise has locked themselves into applications that run only on Windows, they are stupid and deserve to pay Bitcoin ransom for their stupidity. The writing has been on the wall for many years and most app vendors who are not luddites have (at a minimum) a web version of their software.
  Chromebooks have no need for desktop management. It's much easier to manage the network that a bunch of malware infested Windows boxen.
  
  --
  I don't read your sig. Why are you reading mine?
22. Re:And, This is Why... by dhammabum · 2017-05-12 12:30 · Score: 1
  
  So, a business is going to survive the loss of 30-90 days of work?
  
  --
  I am not a robot. I am a unicorn.
23. Re:And, This is Why... by dbIII · 2017-05-12 12:41 · Score: 1
  
  Luckily the script kiddies deploying the malware so far haven't been trying very hard to hide. Having a copy to a remote site fail due to running out of space because all the filenames are different in the encrypted version of the files was a day one warning in one case I heard about. Also there was a file in every changed directory with instructions on where to send the money - plus the web browser on the original infected host had it's home page changed to a message about where to send the money.
  These malware script kiddies want the money ASAP so your spy novel plot above doesn't sound very likely.
  
  keep in mind some of the ransomware running around is sneaky, running transparently for weeks or months
  Above poster, have you actually heard of such stealth malware in actual existence or are you just speculating about how you would do it without actually considering the motivations of these criminals at all? I've heard the above used as a flimsy excuse for why someone didn't have real backups but nothing about malware script kiddies actually being patient for months.
24. Re:And, This is Why... by dbIII · 2017-05-12 12:55 · Score: 1
  
  2) Simply saving to network/cloud drive won't save you from ransomware; They'll simply encrypt every NAS/cloud storage the user has access to.
  It allows an economy of scale approach to dealing with the problem.
  More capable systems with different features now have access to the files, so now you can have snapshotting and access to external storage, such as tape, which is not going to all be online at once if the whole thing gets compromised. Doing that on a PC level is a bit of messing about, but on a shared filesystem level it's almost trivial.
  I agree with you on the "cloud" bit since you can't always trust a third party to have decent backups. An offsite copy that you have control over is ideal but requires resources. At the low end there are things like "owncloud" which has a versioning system so that if all the files are unusable you can roll back almost as if it's a snapshot on a real fileserver or a real backup onto tape/usb disk/something else that can be disconnected.
25. Re: And, This is Why... by dbIII · 2017-05-12 13:08 · Score: 1
  
  If an enterprise has locked themselves into applications that run only on Windows, they are stupid
  Maybe, but it happens A LOT.
  Also due to the moving target nature of MS Windows that means you get some of these applications that only work on specific versions as these vital applications. I have two users still on MS Windows XP - one to run an electronic testing application and another for a label printing program. They can still run MS Office 201*, firefox, thunderbird etc and don't need a lot of memory so they are feeling no pain about being on MS Windows XP - but it's vunerable as anything so it's lucky they only use those things for a few tasks.
  
  But then again, my workplace also has nearly a dozen machines stuck on Solaris 6 due to vendor support demands with some software that was going to be migrated to another platform ten+ years ago but the new stuff still isn't ready - just as well those things have never connected to a network.
26. Re:And, This is Why... by dbIII · 2017-05-12 13:16 · Score: 1
  
  I am waiting for the generation of ransomware which installs a shim driver that transparantly encrypts documents, but allows the user to access them for a certain period time (so all backups in 30-90 days are useless
  You are waiting for criminals who will wait around for a long time, risking discovery by various traces and backtracking, instead of demanding money now. I think you'll be waiting for a while.
  It sounds like a really cool plot but I think we are still in "take the money and run" territory here instead of the TV master criminal zone.
27. Re: And, This is Why... by mspohr · 2017-05-13 03:05 · Score: 1
  
  Unfortunately true.
  Lazy admins let this slide.
  Really? A label printer? WTF You can't find a label printer program?
  State of the art 20 years ago is a threat to the Enterprise today.
  
  --
  I don't read your sig. Why are you reading mine?
28. Re: And, This is Why... by buchanmilne · 2017-05-13 04:26 · Score: 1
  
  "Yeah great if you work for a tiny company, try the same with 100/1000/10000/100000 desktops..."
  Economies of scale makes it cheaper per desktop the more you have ...
29. Re: And, This is Why... by dbIII · 2017-05-13 04:56 · Score: 1
  
  "Lazy admins" don't get to set policy, as you should know with a userid that low.
  Then again you should have known better than the advice to pay bitcoin to criminals and continue to encourage them.
  
  to the Enterprise today
  It's MS Windows. The only bit where it looks like an "Enterprise" is software falling over like disposable redshirts.
30. Re: And, This is Why... by mspohr · 2017-05-13 05:44 · Score: 1
  
  Yes, sorry, I used the term "admins" but they are not really responsible... they just admin what they are given. They can make recommendations to the CTO managers who are the real culprits. The C level people are fat and lazy and not doing their job. It would take work and thinking and planning and money to fix their enterprise but they are lazy and cheap. They are just sliding by and hoping that nothing bad happens to the house of cards they have built on dodgy Windows software.
  Unfortunately, Windows IS enterprise software in too many places. It shouldn't be but it is.
  
  --
  I don't read your sig. Why are you reading mine?
31. Re:And, This is Why... by grep+-v+'.*'+* · 2017-05-13 15:33 · Score: 1
  
  I am waiting for the generation of ransomware which installs a shim driver that transparantly encrypts documents, but allows the user to access them for a certain period time (so all backups in 30-90 days are useless), then at a date/time, purges the keys, and springs the trap.
  Back when dinosaurs ruled the Earth, there was Ashton Tate's dBASE running under MS-DOS.
  
  Who cares? Because there was a TSR (Terminate and Stay Resident) virus you could get that intercepted .DB file I/O. When it saw write activity, it occasionally changed some data in the outgoing buffer but also remembered the exact position and bytes changed into a hidden file. When reading damaged blocks, it would revert those changes.
  
  So the user effect was absolutely nothing. And the more you (unsuspectingly) used your files, the more data would actually be corrupted and written to your standard backup. After maybe 3-4 months of operation, the program would suddenly self-destruct, taking it's delta file with it ... and effectively your entire database+history, since any recent backup would also be partially corrupted.
  
  No ransom demands, no muss, no fuss, just gone. Things were just simpler back in the olden days.
  
  --
  If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
32. Re:And, This is Why... by Anonymous Coward · 2017-05-14 14:58 · Score: 0
  
  That form of coding is impossible these days. There is no way to have a TSR in Windows, nor save data to a log file. Windows is too secure for that to happen.
The first thing by Anonymous Coward · 2017-05-12 05:19 · Score: 0

The first thing that people need to know about security and privacy on the Internet is to NEVER EVER open a file attachment or click on a link in an email! No matter who it says its from! Or what the attachment is supposed to be, or what the link is supposed to be to! DON"T DO IT! EVER!!
Email? by Anonymous Coward · 2017-05-12 05:20 · Score: 0

Email? Is that how you go about asking a hospital for ransomware?
How would you expect to get past the IT department's spam filter?
Joke's on them by drinkypoo · 2017-05-12 05:21 · Score: 0

I don't use a fancy-pants PDF reader that gives a crap, and I don't have Office installed, either.
Even on Windows this is a non-scary problem for anyone who knows anything.
Roll on job security.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
silk road by Anonymous Coward · 2017-05-12 05:49 · Score: 0

Is there a silkroad based kickstarter?
Interesting Omission by AlanObject · 2017-05-12 07:07 · Score: 1

Why doesn't the article ever mention that this affects Windows only? Or is it just assumed these days that malware is only for Microsoft users?
1. Re:Interesting Omission by dbIII · 2017-05-12 13:18 · Score: 1
  
  Or is it just assumed these days that malware is only for Microsoft users?
  It's normally a fairly safe assumption since the rare mac or *nix security problems get a label applied.
Servers to block to prevent infestation by Anonymous Coward · 2017-05-12 07:14 · Score: 0

Add these to your custom hosts file blocked as follows:
0.0.0.0 takanashi.jp
0.0.0.0 babil117.com
0.0.0.0 easysupport.us
0.0.0.0 julian-g.ro
0.0.0.0 phinamco.com
0.0.0.0 techno-kar.ru
0.0.0.0 tiskr.com
0.0.0.0 trans-atm.com
0.0.0.0 trialinsider.com
0.0.0.0 wipersdirect.com
* Per https://blogs.forcepoint.com/security-labs/jaff-enters-ransomware-scene-locky-style/
APK
P.S.=> For the best custom hosts file creator bar-none? APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ for protection vs. other threats online + for more speed, security, reliability & anonymity FOR LESS (yet doing more than ANY other SINGLE "so-called 'solution'" that's "Bolt on 'MoAr'" illogic-logic vs. using what you already have natively in hosts files)... apk
Are we ready to kill them yet by liquid_schwartz · 2017-05-12 08:22 · Score: 1

I have a theory that the punishment should be in proportion to the crime. When you are trying to fleecs 5M people an hour then you qualify for a Putin style polonium hit. It would really send a message and help reduce this type of thing.
Just add PDF and DOCX to the list by Anonymous Coward · 2017-05-12 10:43 · Score: 0

Flash needs to go (until the black hats break HTML5)
Java needs to go (until the black hats break HTML5)
So just add PDF and DOCX to the list of formats that need to go (until the black hats break HTML5)
Then eventually, HTML5 will need to go (until the black hats break whatever the next wonder technology to come down the pipe)