Jaff Ransomware Comes With a New .WLU File Extension

Jaff Ransom Note

Ransomware (a type of malware, that attempt to take your files, business information and personal data stored on your computer hostage) is becoming more and more common and prominent as a security threat, with new strains appearing every week. Emsisoft cyber security researchers investigated this new ransomware. Jaff ransomware is interesting because it is being distributed via the Necurs botnet, which previously disseminated other ransomware such as Locky, and because it already has a huge amount of submissions to ID-Ransomware.

The virus campaign has a massive global scope. The majority of the recipients belong to com domains. Nevertheless, companies in Ireland, France, Belgium, Germany, the Netherlands, Italy, Israel, Mexico and Australia also got lots of harmful nasty emails during that affair. Top-level domains in Sri Lanka, Peru, and Costa Rica were also attacked.

A new variant of the Jaff ransomware was discovered on May, 24. It includes an updated design for the ransom note and the new WLU extension for encrypted files.

Jaff is written in C language and is packaged with the help of custom virus obfuscator. Obfuscators are tools that are deployed by malicious software creators to conceal viruses underneath potentially numerous layers of encryption and compression so that their analysis would be much more difficult.

Like the majority of ransomware types, Jaff renames the files it encrypts, adding the .jaff extension. For example, a file named doc1.jpg would now be encrypted as doc1.jpg.jaff. When it is compromising a system, it drops HTML-based, text-based and picture-based ransom notifications on the hard drive named ReadMe.htm, ReadMe.txt and ReadMe.bmp, respectively. Those notifications include a unique ten digit “decrypt ID” and the address of a TOR website where a targeted user can pay money. The desktop background of the compromised machine is also modified. When the user arrives to that TOR website they will be asked to type their ID and will then see a webpage entitled “jaff decryptor system”. It explains in detail how the users must pay the ransom, the amount of bitcoins needed for ransom, and the bitcoin address where payments must be transferred to.

Jaff is distributed via MALSPAM through the Necurs botnet. Earlier Necurs was used to disseminate Dridex and Locky, which made many cyber security specialists think that Jaff may be the next development stage of the Locky ransomware. The layout and HTML of the TOR-based payment webpage of Jaff are very similar to Locky’s, yet those viruses are different in almost everything else. The last Locky versions consist of almost 800 disparate functions, the Jaff code includes only about 50, which means that Jaff is significantly less feature complete and complex. Jaff tries to self-terminate if the local language of the computer is Russian and Locky also applied similar filters. Besides, Jaff communicates with the server fkksjobnn43.org, which is a well-established Locky domain.

Jaff only generates ransom notification texts in English language at this moment. Newest versions of this virus demand a hefty ransom of about 2.036 bitcoins, which currently equates around 3500 Euros, 3800 US Dollars or 3000 British Pounds.

At present, Necurs is targeting computer users through emails with one of the following subject lines:

  • Copy of Invoice (eight or more numerals)
  • Invoice (six or more numerals)
  • Document_(four or more numerals)
  • File_(four or more numerals)
  • Scan_(four or more numerals)
  • PDF_(four or more numerals)
  • Copy_(four or more numerals)

Jaff PDF File

These emails are coming with PDF documents (called nm.pdf) attached to them and they ask the PC users to open the embedded document-macro (DOCM) files inside those PDF documents. If the user agrees to open the DOCM file, it will then encourage the user to “Enable Content” in order to read the document properly. If the user goes with it and pushes the “Enable Content” button, the dangerous macro scrypt hiding inside this document activates and starts running. The macro then establishes contact with its command and control or C2 server situated at http://fkksjobnn43.org/a5/ address and downloads numerous other XOR encoded executable files, then it decodes those files and executes them on the victim’s computer system.

Jaff Macros

Jaff uses a combined bundle of RSA and AES keys to encrypt the user’s information. To alleviate encryption on a system, the Windows CryptoAPI is used. When Jaff enters a computer, it will immediately automatically inject the ransomware developer’s public RSA key. After that the ransomware generates a new 256 bit AES key. The virus then checks all available drives and network shares for files with one of 423 chosen extensions. Once a file with one of these extensions has been discovered, the ransomware will encrypt up to the first 512 KB using the 256 bit AES key in CBC mode. It will then encrypt the AES key using the ransomware developer’s public RSA key and keeps it together with a magic header value, the size of the encrypted block and the encrypted bytes inside a new file. It finishes with appending of any non-encrypted data to the file.

This process may seem too bewilderingly complex and meandering, but in reality it is very ingenious and effective – it allows Jaff to successfully encrypt files offline without an Internet connection and any communication with a command and control server.

Alas, Jaff Ransomware is classified as not decryptable, which means that it’s impossible to recover encrypted files without access to the ransomware developer’s private key. Yet some files can be recovered with the help of other means.


Please enter your comment!
Please enter your name here