A massive malicious email campaign that stems from the Necurs botnet is spreading a new ransomware at the rate of 5 million emails per hour and hitting computers across the globe. Dubbed “Jaff,” the new file-encrypting ransomware is very similar to the infamous Locky ransomware in many ways, but it is demanding 1.79 Bitcoins (approx $3,150), which much higher than Locky, to unlock the encrypted files on an infected computer.
According to security researchers at Forcepoint Security Lab, Jaff ransomware, written in C programming language, is being distributed with the help of Necurs botnet that currently controls over 6 million infected computers worldwide. Necurs botnet is sending emails to millions of users with an attached PDF document, which if clicked, opens up an embedded Word document with a malicious macro script to downloads and execute the Jaff ransomware, Malwarebytes says.
Jaff is Spreading at the Rate of 5 Million per Hour
The malicious email campaign started on Thursday morning at 9 am and had peaked by 1 pm, and its system recorded and blocked more than 13 million emails during that period – that’s 5 Million emails per an hour. “Jaff targets 423 file extensions. It is capable of offline encryption without dependency on a command and control server. Once a file is encrypted, the ‘.jaff’ file extension is appended,” Forcepoint says. The ransomware then drops a ransom note in every affected folder while the desktop background of the infected computer is also replaced.
The ransom note tells victims that their files are encrypted, but doesn’t ask them for any payments; instead, it urges victims to visit a payment portal located on a Tor site, which is accessible via Tor Browser, in order to get decrypt their important files. Once victims install Tor Browser and visit the secret site, there they are then asked for an astounding 1.79 BTC (about $3,150).
Separate research conducted by Proofpoint researchers indicated that the Jaff ransomware could be the work of the same cybercriminal gang behind Locky, Dridex, and Bart. The security company said that the Raff ransomware campaign had affected users globally with primarily victim organizations in the United Kingdom and the United States, as well as Ireland, Belgium, Italy, Germany, the Netherlands, France, Mexico and Australia.
Massive Ransomware Attack Uses NSA’s Windows Exploit
In separate news, another massive fast-spreading ransomware campaign is targeting computers at Hospitals, Banks, Telecom and Organisations across the globe today. The ransomware, known as WanaCypt0r or WannaCry, is using NSA’s Windows exploit, EternalBlue, which was leaked by Shadow Brokers hacking group over a month ago. Within just hours this cyber attack has infected more than 60,000 computers in 74 countries.
How can you Protect yourself from the Jaff Ransomware?
To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source. Check if macros are disabled in your Microsoft Office applications. If not, block macros from running in Office files from the Internet. In enterprises, your system admin can set the default setting for macros. To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC. Moreover, make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.