{ "id": "c8d3e130-fc22-4ca2-bd97-76b159331346", "created_at": "2026-04-06T00:14:25.331134Z", "updated_at": "2026-04-10T03:24:30.13544Z", "deleted_at": null, "sha1_hash": "bb25dbdfa996bbb04b02a282027165a1dd5bd2b4", "title": "Jaff - New Ransomware From the Actors Behind the Distribution of Dridex, Locky, and Bart | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 445253, "plain_text": "Jaff - New Ransomware From the Actors Behind the Distribution\r\nof Dridex, Locky, and Bart | Proofpoint US\r\nBy May 11, 2017 Proofpoint Staff\r\nPublished: 2017-05-11 · Archived: 2026-04-05 16:35:07 UTC\r\nAfter a two-week break in campaign activity, the actors behind the distribution of Locky Affid=3 and Dridex\r\n220/7200/7500 have introduced a new ransomware called “Jaff”. The group has introduced new ransomware\r\nbefore in similar fashion, specifically the Bart ransomware. While Bart was only seen several times in email, and\r\nthen spread via exploit kit (EK) campaigns, it remains to be seen how Jaff will be used.\r\nAnalysis\r\nOn May 11, Proofpoint researchers detected a large campaign involving tens of millions of messages with .pdf\r\nattachments containing embedded Microsoft Word documents with macros that, if enabled, download Jaff\r\nransomware. The messages in this campaign purported to be:\r\nFrom \"Joan \u003cjoan.1234@[random domain]\u003e\" (random name, digits) with subject \"Receipt to print\" and\r\nattachment \"Sheet_321.pdf\" (random digits; also \"Document\" and \"Receipt\")\r\nFrom \"John \u003cjohn.doe123@[random domain]\u003e\" (random name, digits) with subject \"Document_1234567\"\r\n(random digits; also \"Copy\", \"File\", \"PDF\", \"Scan\") and attachment \"nm.pdf\"\r\nhttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nPage 1 of 8\n\nFigure 1: Email delivering the PDF distributing Jaff ransomware\r\nhttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nPage 2 of 8\n\nFigure 2: The PDF file delivered by malicious email messages\r\nhttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nPage 3 of 8\n\nFigure 3: The Microsoft Word document embedded inside the PDF\r\nTo alert the victim that they are infected and that their files are encrypted, this ransomware creates two types of\r\nfiles, similar to many other types of ransomware. Specifically, it drops a ReadMe.bmp and ReadMe.html as shown\r\nin the following figures.\r\nhttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nPage 4 of 8\n\nFigure 4: Readme.bmp ransom message\r\nhttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nPage 5 of 8\n\nFigure 5: Readme.html ransom message\r\nAfter encryption, a “.jaff” extension is appended to the encrypted files. The list of file extensions that Jaff encrypts\r\nincludes:\r\n.xlsx | .acd | .pdf | .pfx | .crt | .der | .cad | .dwg | .MPEG | .rar | .veg | .zip | .txt | .jpg | .doc | .wbk | .mdb | .vcf | .docx\r\n| .ics | .vsc | .mdf | .dsr | .mdi | .msg | .xls | .ppt | .pps | .obd | .mpd | .dot | .xlt | .pot | .obt | .htm | .html | .mix | .pub |\r\n.vsd | .png | .ico | .rtf | .odt | .3dm | .3ds | .dxf | .max | .obj | .7z | .cbr | .deb | .gz | .rpm | .sitx | .tar | .tar.gz | .zipx | .aif\r\n| .iff | .m3u | .m4a | .mid | .key | .vib | .stl | .psd | .ova | .xmod | .wda | .prn | .zpf | .swm | .xml | .xlsm | .par | .tib |\r\n.waw | .001 | .002 | 003. | .004 | .005 | .006 | .007 | .008 | .009 | .010 | .contact | .dbx | .jnt | .mapimail | .oab | .ods |\r\n.ppsm | .pptm | .prf | .pst | .wab | .1cd | .3g2 | .7ZIP | .accdb | .aoi | .asf | .asp. | aspx | .asx | .avi | .bak | .cer | .cfg |\r\n.class | .config | .css | .csv | .db | .dds | .fif | .flv | .idx | .js | .kwm | .laccdb | .idf | .lit | .mbx | .md | .mlb | .mov | .mp3\r\n| .mp4 | .mpg | .pages | .php | .pwm | .rm | .safe | .sav | .save | .sql | .srt | .swf | .thm | .vob | .wav | .wma | .wmv |\r\n.xlsb | .aac | .ai | .arw | .c | .cdr | .cls | .cpi | .cpp | .cs | .db3 | .docm | .dotm | .dotx | .drw | .dxb | .eps | .fla | .flac | .fxg\r\n| .java | .m | .m4v | .pcd | .pct | .pl | .potm | .potx | .ppam | .ppsx | .ps | .pspimage | .r3d | .rw2 | .sldm | .sldx | .svg |\r\n.tga | .wps | .xla | .xlam | .xlm | .xltm | .xltx | .xlw | .act | .adp | .al | .bkp | .blend | .cdf | .cdx | .cgm | .cr2 | .dac | .dbf |\r\n.dcr | .ddd | .design | .dtd | .fdb | .fff | .fpx | .h | .iif | .indd | .jpeg | .mos | .nd | .nsd | .nsf | .nsg | .nsh | .odc | .odp | .oil\r\n| .pas | .pat | .pef | .ptx | .qbb | .qbm | .sas7bdat | .say | .st4 | .st6 | .stc | .sxc | .sxw | .tlg | .wad | .xlk | .aiff | .bin | .bmp\r\n| .cmt | .dat | .dit | .edb | .flvv | .gif | .groups | .hdd | .hpp | .log | .m2ts | .m4p | .mkv | .ndf | .nvram | .ogg | .ost | .pab |\r\n.pdb | .pif | .qed | .qcow | .qcow2 | .rvt | .st7 | .stm | .vbox | .vdi | .vhd | .vhdx | .vmdk | .vmsd | .vmx | .vmxf | .3fr |\r\n.3pr | .ab4 | .accde | .accdt | .ach | .acr | .adb | .srw | .st5 | .st8 | .std | .sti | .stw | .stx | .sxd | .sxg | .sxi | .sxm | .tex |\r\n.wallet | .wb2 | .wpd | .x11 | .x3f | .xis | .ycbcra | .qbw | .qbx | .qby | .raf | .rat | .raw | .rdb | rwl | .rwz | .s3db | .sd0 |\r\n.sda | .sdf | .sqlite | .sqlite3 | .sqlitedb | .sr | .srf | .oth | .otp | .ots | .ott | .p12 | .p7b | .p7c | .pdd | .pem | .plus_muhd |\r\n.plc | .pptx | .psafe3 | .py | .qba | .qbr.myd | .ndd | .nef | .nk | .nop | .nrw | .ns2 | .ns3 | .ns4 | .nwb | .nx2 | .nxl | .nyf |\r\n.odb | .odf | .odg | .odm | .ord | .otg | .ibz | .iiq | .incpas | .jpe | .kc2 | .kdbx | .kdc | .kpdx | .lua | .mdc | .mef | .mfw |\r\n.mmw | .mny | .moneywell | .mrw.des | .dgc | .djvu | .dng | .drf | .dxg | .eml | .erbsql | .erd | .exf | .ffd | .fh | .fhd |\r\n.gray | .grey | .gry | .hbk | .ibank | .ibd | .cdr4 | .cdr5 | .cdr6 | .cdrw | .ce1 | .ce2 | .cib | .craw | .crw | .csh | .csl |\r\n.db_journal | .dc2 | .dcs | .ddoc | .ddrw | .ads | .agdl | .ait | .apj | .asm | .awg | .back | .backup | .backupdb | .bank |\r\n.bay | .bdb | .bgt | .bik | .bpw | .cdr3 | .as4 | .tif | .asp | .hdr\r\nThe ransom note urges the user to visit a payment portal located on a Tor site in order to pay 1.79 bitcoins (over\r\n$3300 USD at current exchange rates). The payment portal, shown in the figures below, is similar to the one used\r\nby Locky and Bart. Visually, the primary changes involve titles and headings: for example, “How to buy\r\nDecryptor Bart?” was changed to “How to buy jaff decryptor?”. While the payment portals look visually identical,\r\nthe ransomware code remains to be analyzed and there are reports that it is different.\r\nhttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nPage 6 of 8\n\nFigure 6: Ransomware payment portal\r\nConclusion\r\nThe actors behind the distribution of Dridex and Locky regularly try new document types, lures, exploits, and\r\nmore to deliver their payloads more effectively. Similarly, after months of distributing Dridex in high-volume\r\ncampaigns, they introduced Locky ransomware, which ultimately became the primary payload in the largest\r\ncampaigns we have ever observed. Within months, they also brought Bart ransomware to the scene. While Bart\r\nnever gained significant traction, the appearance of Jaff ransomware from the same group bears watching. We will\r\nbe looking more closely at Jaff samples in the weeks to come and will continue to monitor its use in email\r\ncampaigns and elsewhere.\r\nIndicators of Compromise (IOCs)\r\nIOC\r\nIOC\r\nType\r\nDescription\r\n5bd8352171880485bf06d2d089e39d4112e8540f28d0f84bb045ab58737ad6bf SHA256\r\nnm.pdf email\r\nattachment\r\nhttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nPage 7 of 8\n\nIOC\r\nIOC\r\nType\r\nDescription\r\nf41b4b6de5d7680b554b177ab6ebad01b5248a7b54044d64bf0593f383166eec SHA256\r\nCM9SJG1.docm\r\nembedded in\r\nnm.pdf\r\nhxxp://5hdnnd74fffrottd[.]com/af/f87346b URL Payload URL\r\nhxxp://babil117[.]com/f87346b URL Payload URL\r\nhxxp://boaevents[.]com/f87346b URL Payload URL\r\nhxxp://byydei74fg43ff4f[.]net/af/f87346b URL Payload URL\r\nhxxp://easysupport[.]us/f87346b URL Payload URL\r\nhxxp://edluke[.]com/f87346b URL Payload URL\r\nhxxp://julian-g[.]ro/f87346b URL Payload URL\r\nhxxp://phinamco[.]com/f87346b URL Payload URL\r\nhxxp://takanashi[.]jp/f87346b URL Payload URL\r\nhxxp://techno-kar[.]ru/f87346b URL Payload URL\r\nhxxp://tending[.]info/f87346b URL Payload URL\r\nhxxp://tiskr[.]com/f87346b URL Payload URL\r\nhxxp://trans-atm[.]com/f87346b URL Payload URL\r\nhxxp://trialinsider[.]com/f87346b URL Payload URL\r\nhxxp://vscard[.]net/f87346b URL Payload URL\r\nhxxp://wipersdirect[.]com/f87346b URL Payload URL\r\nhxxp://fkksjobnn43[.]org/a5/ URL Jaff C\u0026C\r\nhxxp://rktazuzi7hbln7sy[.]onion/ URL Payment URL\r\nSubscribe to the Proofpoint Blog\r\nSource: https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nhttps://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart\r\nPage 8 of 8\n\n.xlsx | .acd | .pdf | .ics | .vsc | .mdf | .pfx | .crt | .der | .dsr | .mdi | .msg | .cad | .dwg | .MPEG | .xls | .ppt | .pps | .rar | .veg | .obd | .mpd | .zip | .txt | | .dot | .xlt | .pot .jpg | .doc | .wbk | .obt | .htm | .mdb | .vcf | .html | .mix | .docx | .pub |\n.vsd | .png | .ico | .rtf | .odt | .3dm | .3ds | .dxf | .max | .obj | .7z | .cbr | .deb | .gz | .rpm | .sitx | .tar | .tar.gz | .zipx | .aif\n| .iff | .m3u | .m4a | .mid | .key | .vib | .stl | .psd | .ova | .xmod | .wda | .prn | .zpf | .swm | .xml | .xlsm | .par | .tib |\n.waw | .001 | .002 | 003. | .004 | .005 | .006 | .007 | .008 | .009 | .010 | .contact | .dbx | .jnt | .mapimail | .oab | .ods |\n.ppsm | .pptm | .prf | .pst | .wab | .1cd | .3g2 | .7ZIP | .accdb | .aoi | .asf | .asp. | aspx | .asx | .avi | .bak | .cer | .cfg |\n.class | .config | .css | .csv | .db | .dds | .fif | .flv | .idx | .js | .kwm | .laccdb | .idf | .lit | .mbx | .md | .mlb | .mov | .mp3\n| .mp4 | .mpg | .pages | .php | .pwm | .rm | .safe | .sav | .save | .sql | .srt | .swf | .thm | .vob | .wav | .wma | .wmv |\n.xlsb | .aac | .ai | .arw | .c | .cdr | .cls | .cpi | .cpp | .cs | .db3 | .docm | .dotm | .dotx | .drw | .dxb | .eps | .fla | .flac | .fxg\n| .java | .m | .m4v | .pcd | .pct | .pl | .potm | .potx | .ppam | .ppsx | .ps | .pspimage | .r3d | .rw2 | .sldm | .sldx | .svg |\n.tga | .wps | .xla | .xlam | .xlm | .xltm | .xltx | .xlw | .act | .adp | .al | .bkp | .blend | .cdf | .cdx | .cgm | .cr2 | .dac | .dbf |\n.dcr | .ddd | .design | .dtd | .fdb | .fff | .fpx | .h | .iif | .indd | .jpeg | .mos | .nd | .nsd | .nsf | .nsg | .nsh | .odc | .odp | .oil\n| .pas | .pat | .pef | .ptx | .qbb | .qbm | .sas7bdat | .say | .st4 | .st6 | .stc | .sxc | .sxw | .tlg | .wad | .xlk | .aiff | .bin | .bmp\n| .cmt | .dat | .dit | .edb | .flvv | .gif | .groups | .hdd | .hpp | .log | .m2ts | .m4p | .mkv | .ndf | .nvram | .ogg | .ost | .pab |\n.pdb | .pif | .qed | .qcow | .qcow2 | .rvt | .st7 | .stm | .vbox | .vdi | .vhd | .vhdx | .vmdk | .vmsd | .vmx | .vmxf | .3fr |\n.3pr | .ab4 | .accde | .accdt | .ach | .acr | .adb | .srw | .st5 | .st8 | .std | .sti | .stw | .stx | .sxd | .sxg | .sxi | .sxm | .tex |\n.wallet | .wb2 | .wpd | .x11 | .x3f | .xis | .ycbcra | .qbw | .qbx | .qby | .raf | .rat | .raw | .rdb | rwl | .rwz | .s3db | .sd0 |\n.sda | .sdf | .sqlite | .sqlite3 | .sqlitedb | .sr | .srf | .oth | .otp | .ots | .ott | .p12 | .p7b | .p7c | .pdd | .pem | .plus_muhd |\n.plc | .pptx | .psafe3 | .py | .qba | .qbr.myd | .ndd | .nef | .nk | .nop | .nrw | .ns2 | .ns3 | .ns4 | .nwb | .nx2 | .nxl | .nyf |\n.odb | .odf | .odg | .odm | .ord | .otg | .ibz | .iiq | .incpas | .jpe | .kc2 | .kdbx | .kdc | .kpdx | .lua | .mdc | .mef | .mfw |\n.mmw | .mny | .moneywell | .mrw.des | .dgc | .djvu | .dng | .drf | .dxg | .eml | .erbsql | .erd | .exf | .ffd | .fh | .fhd |\n.gray | .grey | .gry | .hbk | .ibank | .ibd | .cdr4 | .cdr5 | .cdr6 | .cdrw | .ce1 | .ce2 | .cib | .craw | .crw | .csh | .csl |\n.db_journal | .dc2 | .dcs | .ddoc | .ddrw | .ads | .agdl | .ait | .apj | .asm | .awg | .back | .backup | .backupdb | .bank |\n.bay | .bdb | .bgt | .bik | .bpw | .cdr3 | .as4 | .tif | .asp | .hdr \nThe ransom note urges the user to visit a payment portal located on a Tor site in order to pay 1.79 bitcoins (over\n$3300 USD at current exchange rates). The payment portal, shown in the figures below, is similar to the one used\nby Locky and Bart. Visually, the primary changes involve titles and headings: for example, “How to buy \nDecryptor Bart?” was changed to “How to buy jaff decryptor?”. While the payment portals look visually identical, \nthe ransomware code remains to be analyzed and there are reports that it is different. \n Page 6 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart" ], "report_names": [ "jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434465, "ts_updated_at": 1775791470, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb25dbdfa996bbb04b02a282027165a1dd5bd2b4.pdf", "text": "https://archive.orkl.eu/bb25dbdfa996bbb04b02a282027165a1dd5bd2b4.txt", "img": "https://archive.orkl.eu/bb25dbdfa996bbb04b02a282027165a1dd5bd2b4.jpg" } }