Jaff WLU variant Distributed via Emails Pretending to be Invoices

Topic

New Reply

As highlighted on Anti-Ransomware Software Overview Update, another ransomeware is in the wild.

From bleepingcomputer.com: Jaff Ransomware Switches to the WLU Extension and Gets a New Design | May 23, 2017

The new Jaff campaign is being distributed through emails that pretend to be invoices for the recipient. These emails will have subjects such as Copy of Invoice 99483713 or Invoice(58-0710), where the number is random and they contain a malicious PDF attachment.

 
Other reading on this ransomware:

From checkpoint.com: JAFF – A New Ransomware is in town, and it’s widely spread by the infamous Necurs Botnet | May 11, 2017

From scmagazine.com: New Jaff ransomware makes bold entrance via Necurs spam campaign | May 12, 2017

Reply | Quote

Replies

Decryption Utility Unlocks Files Encrypted by Jaff Ransomware

by Tom Spring | June 14, 2017

A weakness discovered in Jaff ransomware by researchers has led to the creation of decryption keys to unlock files locked by the malware.

“We have found a vulnerability in Jaff’s code for all the variants to date. Thanks to this, it is now possible to recover users’ files (encrypted with the .jaff, .wlu, or .sVn extensions) for free,” Kaspersky Lab said in a prepared statement announcing the availability of the decryption keys.

Jaff was only first identified last month. At the time it was being distributed by Necurs botnet – the same botnet behind the Locky and Dridex campaigns. Attacks have included massive spam campaigns that include PDF attachments with an embedded Microsoft Word document functioning as the initial downloader for the ransomware.

 
Read the full article on Kaspersky Lab’s threatpost.com

Reply | Quote