{
	"id": "6bbe976a-2f3f-40d4-82f2-e3e9553e414b",
	"created_at": "2026-04-06T00:06:07.46355Z",
	"updated_at": "2026-04-10T13:11:32.686398Z",
	"deleted_at": null,
	"sha1_hash": "82a0b1c37ade3e9725fc1a1362c163aa677abe4c",
	"title": "Jaff Ransomware: Player 2 Has Entered The Game",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1316440,
	"plain_text": "Jaff Ransomware: Player 2 Has Entered The Game\r\nBy Edmund Brumaghin\r\nPublished: 2017-05-12 · Archived: 2026-04-05 16:55:24 UTC\r\nFriday, May 12, 2017 09:58\r\nThis post was written by Nick Biasini, Edmund Brumaghin and Warren Mercer with contributions from Colin\r\nGrady\r\nSummary\r\nTalos is constantly monitoring the email threat landscape and tracking both new threats as well as changes to\r\nexisting threats. We recently observed several large scale email campaigns that were attempting to distribute a new\r\nvariant of ransomware that has been dubbed \"Jaff\". Interestingly we identified several characteristics that we have\r\npreviously observed being used during Dridex and Locky campaigns. In a short period of time, we observed\r\nmultiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF\r\nattachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff\r\nransomware. While Cisco customers were already automatically protected against this threat, we decided to take a\r\ndeeper look at this threat and its possible implications across the threat landscape. We have outlined the infection\r\nprocess and additional relevant information regarding this threat in detail below.\r\nInfection Process\r\nEven though certain elements of each campaign differed slightly, with different XOR key values being used, they\r\nall exhibited common features. The email campaigns that were attempting to distribute this malware were using\r\nstandard spam characteristics. The subject lines were mutated with a random string of digits but started with either\r\n\"Copy_\" or \"Document_\" for example \"Copy_30396323\" and \"Document_3758\". While we were monitoring\r\nthese campaigns, we saw multiple campaigns being launched, each with slightly different themes. The body of the\r\nemail associated with the initial campaign was blank with a single attached file named \"nm.pdf\" an example of the\r\ncampaign is shown below.\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 1 of 9\n\nFigure A: Example Email Message \r\nAs can be seen in the above screenshot, it does not appear that the attackers put any significant amount of effort\r\ninto the creation of the emails associated with these campaigns. A bit later, we saw a subsequent campaign with an\r\nemail body that contained the following text:\r\n\"Image data in PDF format has been attached to this email.\"\r\nIn each case, the file attachment was a malicious PDF document with an embedded Microsoft Word document.\r\nWhen victims open the PDF, they are greeted with a message in the body of the PDF, which will then attempt to\r\nopen the embedded Microsoft Word document.\r\nFigure B: Example PDF Attachment \r\nSimilar to what we saw with recent Locky campaigns, when the PDF attempts to open the embedded Microsoft\r\nWord document, the victim is prompted to approve the activity. Requiring user interaction to continue the\r\ninfection process could be an attempt to evade automated detection mechanisms that organizations may have\r\ndeployed as no malicious activity occurs until after the user approves. In sandbox environments that are not\r\nconfigured to simulate this activity, the infection may never occur, and could result in the sandbox determining\r\nthat the file is benign when the reality is that it is malicious, the infection was just simply not triggered.\r\nThe PDF contains the following Javascript, which is responsible for opening the embedded Microsoft Word\r\ndocument:\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 2 of 9\n\nFigure C: Javascript Within PDF \r\nClicking the OK button causes the PDF to open the malicious Microsoft Word document which looks similar to\r\nwhat we have grown accustomed to seeing from campaigns like this one. As can be expected, the user is also\r\nprompted to Enable Editing in order to view the contents of the word document. One thing to note is that the\r\nmalicious Microsoft Word document contained two pages rather than just one like a lot of maldocs.\r\nFigure D: Example Malicious Word Document \r\nOnce the malicious content is enabled, the Microsoft Word document will then execute a VBA macro that\r\nfunctions as the actual ransomware downloader and will attempt to retrieve the ransomware binary to infect the\r\nsystem.\r\nThe VBA Macro contains multiple download domains which are separated with a capital 'V', this gives the\r\nmalware multiple opportunities to download the malicious payload from multiple sources.\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 3 of 9\n\nFigure E: VBA Downloader\r\nThe URL used to download the Jaff binary is very similar to what we are used to seeing from Locky as well.\r\nFigure F: Download URL\r\nThe binary blob downloaded above is then XOR'd using a XOR key embedded within the maldoc, we observed\r\nmultiple XOR keys throughout this campaign. This is found within the Module3 of the VBA Macro, with the\r\nXOR key being 'd4fsO4RqQabyQePeXTaoQfwRCXbIuS9Q'\r\nFigure G: XOR Key \r\nOnce this XOR process has completed the actual ransomware PE32 executable is launched using the Windows\r\nCommand Processor using the following command-line syntax:\r\nFigure H: Executable Launch\r\nThe ransomware iterates through folders stored on the system aFigure H: Executable Launchnd encrypts them.\r\nThe file extension associated with this particular ransomware which is appended to each file is \"jaff\". The\r\nransomware writes a file called ReadMe.txt into the victim's \"My Documents\" directory that contains the ransom\r\nnote.\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 4 of 9\n\nFigure I: Text Based Ransom Note \r\nIt also modifies the desktop background as can be seen below:\r\nFigure J: Modified Desktop Wallpaper \r\nIt is interesting to note that the instructions do not appear to instruct the user to make use of any sort of Tor proxy\r\nservice such as Tor2Web, instead instructing the user to install the full Tor Browser software package in order to\r\naccess the ransom payment system. The Tor address being used across samples and campaigns also does not\r\nappear to be changing. Visiting the ransom payment system results in the victim being greeted by the following\r\napplication which requires them to input the decrypt ID listed in the ransom note on the infected system.\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 5 of 9\n\nFigure K: Specify Decrypt ID\r\nAfter entering the appropriate ID value into the website, the victim is taken to the full instruction page that\r\nspecifies the ransom amount the attacker is demanding, along with instructions for making the payment.\r\nFigure L: Ransom Payment System\r\nIt's interesting to note that the look and feel of the ransom payment system looks very similar to what we have\r\nseen from Locky. In this particular case the ransom amount being demanded was 2.01117430 in Bitcoin, which at\r\nthe time of this writing was approximately $3700, which is significantly higher than that demanded by other\r\nransomware families operating across the threat landscape. In looking at the bitcoin wallet specified on the ransom\r\npayment server, we confirmed that there are currently zero transactions associated with this wallet.\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 6 of 9\n\nFigure M: Bitcoin Wallet Transactions\r\nCampaign Distribution/Volume\r\nTalos observed over 100K emails (so far) related to these new Jaff campaigns. This is a significant rise in\r\nransomware delivered by spam for such a new actor. Their immediate relationship with Necurs has allowed their\r\nspam campaigns to reach impressive volumes in a very short period of time. The initial spam campaign began on\r\nMay 11, 2017 at 0800 UTC and consisted of roughly 35,768 messages all containing the attachment \"nm.pdf\".\r\nTalos observed approximately 184 unique samples within this spam campaign.\r\nTalos also observed a second campaign that began overnight consisting of approximately 72,798 emails. This\r\ncampaign began on May 12, 2017 at 0900 UTC and was observed to be distributing approximately 294 unique\r\nsamples. The attachment filename associated with this second campaign was \"201705*.pdf\" which functioned\r\nidentically to the initial campaigns we observed.\r\nIs This New Locky?\r\nThere are certain characteristics associated with both the campaigns being used to distribute Jaff and the C2 traffic\r\npatterns it uses that are similar to what we've become accustomed to while monitoring Locky and Dridex activity\r\nacross the threat landscape. However we are confident that this is not simply a new or \"retooled\" version of Locky\r\nransomware. There is very little similarity between the two codebases, and while it is possible that the same actors\r\nwho once used Necurs to spread Locky has switched to distributing Jaff, the malware itself is distinct enough in\r\nnature that it should be treated and referred to as a different ransomware family altogether.\r\nIf anything the reason this can be considered the 'new' Locky is purely due to it's rampant appearance, similar to\r\nLocky it came out of nowhere with a huge bang, it spread via email malspam primarily, it leveraged maldocs, but\r\ntraits of a campaign are not used to determine if the malware is the same. This is a new piece of ransomware with\r\na significant effort having been put into the codebase, the infrastructure and the volume. However, that does not\r\nmake this Locky 2.0. It simply makes it another, new and aggressive adversary pushing their ransomware product\r\nto end users, this should be considered, for now, separate from Locky.\r\nWe've now seen that Necurs is being used to push Jaff in the form of multiple high volume spam campaigns. We\r\nwill continue to monitor this as we do with every email based threat to determine whether this is a fly-by-night\r\noccurrence or whether this ransomware family will continue to infect organizations who are not properly\r\nprotected.\r\nIOCs\r\nEmail Subjects:\r\nCopy_String of Digits\r\nDocument_String of Digits\r\nScan_String of Digits\r\nPDF_String of Digits\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 7 of 9\n\nFile_String of Digits\r\nScanned Image\r\nAttachment Filenames:\r\nnm.pdf\r\nString of Digits.pdf (Example: 20170511042179.pdf)\r\nAttachment Hashes:\r\nA list of attachment hashes associated with this campaign (PDF \u0026 DOC) can be found here.\r\nBinary Hashes:\r\n03363f9f6938f430a58f3f417829aa3e98875703eb4c2ae12feccc07fff6ba47\r\nC2 Server IPs:\r\n108.165.22[.]125\r\n27.254.44[.]204\r\nDistribution Domains:\r\nA list of distribution domains associated with these campaigns can be found here.\r\nConclusion\r\nThis is yet another example of a new ransomware variant being unleashed on the world. This occurrence is\r\nbecoming far too common and shows why this is such an attractive avenue for miscreants. There are millions of\r\ndollars at stake and everyone is trying to grab a piece of the pie. Jaff is being distributed through a common\r\nmechanism, Necurs based spam. However, it is asking for a fairly large ransom of $3700. The question is at which\r\nprice point does it deter users from paying. In the future we will likely see adversaries continue to try and find the\r\nsweet spot, maximizing profits without sacrificing ransoms paid.\r\nIn today's threat landscape ransomware dominates and is being pushed onto systems around the world in every\r\nway possible. With the large scale decrease in exploit kit activity its likely going to continue to be heavily\r\ndistributed through email as well as being delivered as a secondary payload when adversaries manage to penetrate\r\na network or system, in the case of threats like Samsam.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 8 of 9\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nThe Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network\r\nactivity by threat actors.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella prevents DNS resolution of the domains associated with malicious activity.\r\nSource: http://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nhttp://blog.talosintelligence.com/2017/05/jaff-ransomware.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://blog.talosintelligence.com/2017/05/jaff-ransomware.html"
	],
	"report_names": [
		"jaff-ransomware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775433967,
	"ts_updated_at": 1775826692,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/82a0b1c37ade3e9725fc1a1362c163aa677abe4c.pdf",
		"text": "https://archive.orkl.eu/82a0b1c37ade3e9725fc1a1362c163aa677abe4c.txt",
		"img": "https://archive.orkl.eu/82a0b1c37ade3e9725fc1a1362c163aa677abe4c.jpg"
	}
}