630,000 Instances of Jaff, a New Locky Variant, Were Detected in the First 48 Hours of the Outbreak Last Week by a Global Email Security Provider

Share Article

WannaCry is not the only ransomware causing massive disruption. Jaff, a new Locky variant, is propagated primarily by email and is able to evade many signature-based email security programs.

Over 48 hours on May 11 and 12, Vade Secure blocked more than 630,000 emails containing the Jaff ransomware.

The media has been preoccupied by an unprecedented series of cyberattacks that have crippled companies worldwide since May 11. However, it has gone largely unnoticed that these are in fact two very separate waves of attacks.

The first wave, WannaCry, has been the central focus of most of the press coverage and is primarily propagating as a worm.

The second wave of attacks is also massive but has been largely ignored by many press accounts. This is a variant of the famous Locky malware, called Jaff, and it is primarily being distributed by email.

The attack from the Jaff ransomware was detected on Thursday, May 11. Within 48 hours, the Vade Secure filter detected 633,920 emails containing the Jaff ransomware. Vade Secure has successfully blocked Jaff since its introduction, but many email filters were unable to recognize and isolate Jaff during the initial phases of the attack because it did not match any known file signatures.

Jaff uses a .docm file itself embedded in a PDF file. When the file is opened, a macro downloads the malicious payload and starts the encryption of the infected machine. According to Vade Secure’s analysis, there are numerous similarities between Jaff and Locky. Jaff is essentially a mutation of Locky malware that has been reengineered to get past email filters.

Georges Lotigier, CEO of Vade Secure, commented:

“Ransomware is back in the spotlight again with a significant global impact. However, there is some good news. According to our estimates, the ransomware Wannacry has only generated about $35,000 for its designers. Most companies have not paid up. Jaff ups the ante even more by increasing the ransom demand to 2 BTC (approximately $3,500). ”

The Jaff attack follows the same process in encrypting files and demanding payment as Locky. Each malicious email contains a “clean” PDF that then downloads a MS Word document that in turn utilizes a macro to download and activate the main ransomware payload. This process can fool most email filters to allow it through unless they have a specific file signature that they can blacklist.

About Vade Secure:
Vade Secure provides predictive email security utilizing data from a global customer base of more than 400 million email boxes. Its 24/7 global threat centers protect customers against ransomware, phishing, spear phishing, and other email-borne threats.

Vade Secure solutions are used by major ISPs, OEMs, SMBs, and enterprises worldwide.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Rich Quarles
Visit website