PDF spam attachment delivers Jaff Ransomware with $3400 ransom

June 12, 2017

This week, SonicWall Threat Research Team has observed a new wave of email spam campaign carrying malicious PDF attachment which installs Jaff ransomware. The PDF carries an attached Word macro file which is held as a stream object so when the PDF is opened, the embedded attachment is opened as well.

Infection Cycle:

The malicious file comes as an attachment to an email purporting to be an important document such as a receipt.

It may use the following filenames:

  • document_****.pdf
  • scan_***.pdf
  • receipt_****.pdf
  • file_***.pdf
  • copy_***.pdf

Once the PDF document is opened, it also tries to open the embedded macro file:

Upon successful execution, it makes the following GET request:

It then starts encrypting the files in the victim's machine. It appends ".jaff" file extension to all encrypted files.

It also changes the desktop wallpaper and drops the files ReadMe.html, ReadMe.txt and ReadMe.bmp to every directory that contains an encrypted file.

Following the ReadMe file to visit a page on the onion network for further instructions reveals that Jaff ransoware is asking for 2 bitcoins or an equivalent of roughly 3,400 USD in the current exchange rate. This amount is significantly higher than what most ransomware programs we have seen ask for.

The graph below shows an increase in hits for the signature we created to detect this ransomware in the past 24 hours:

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: JaffPDF.RSM* (Trojan)

  • (*This signature was previously named Downloader.PDF_2 and later renamed to JaffPDF.RSM)