PDF spam attachment delivers Jaff Ransomware with $3400 ransom


This week, SonicWall Threat Research Team has observed a new wave of email spam campaign carrying malicious PDF attachment which installs Jaff ransomware. The PDF carries an attached Word macro file which is held as a stream object so when the PDF is opened, the embedded attachment is opened as well.

Infection Cycle:

The malicious file comes as an attachment to an email purporting to be an important document such as a receipt.

It may use the following filenames:

  • document_****.pdf
  • scan_***.pdf
  • receipt_****.pdf
  • file_***.pdf
  • copy_***.pdf

Once the PDF document is opened, it also tries to open the embedded macro file:

Upon successful execution, it makes the following GET request:

It then starts encrypting the files in the victim’s machine. It appends “.jaff” file extension to all encrypted files.

It also changes the desktop wallpaper and drops the files ReadMe.html, ReadMe.txt and ReadMe.bmp to every directory that contains an encrypted file.

Following the ReadMe file to visit a page on the onion network for further instructions reveals that Jaff ransoware is asking for 2 bitcoins or an equivalent of roughly 3,400 USD in the current exchange rate. This amount is significantly higher than what most ransomware programs we have seen ask for.

The graph below shows an increase in hits for the signature we created to detect this ransomware in the past 24 hours:

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: JaffPDF.RSM* (Trojan)

  • (*This signature was previously named Downloader.PDF_2 and later renamed to JaffPDF.RSM)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.