The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff".
Jaff spreads in a similar way to the infamous file-encrypting malware Locky and even uses the same payment site template, but is nonetheless a different monster. Attached to dangerous emails is an infectious PDF containing an embedded DOCM file with a malicious macro script. This script will then download and execute the Jaff ransomware.
Locky – like Jaff – also used the Necurs botnet and a booby-trapped PDF, Malwarebytes notes.
"This is where the comparison ends, since the code base is different as well as the ransom itself," said Jérôme Segura, a security researcher at Malwarebytes. "Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing."
Jaff ransomware payload [source: Malwarebytes blog]
Proofpoint reckons Jaff may be the work of the same cybercriminals behind Locky, Dridex and Bart (other nasty malware) but this remains unconfirmed.
And Forcepoint Security Labs reports that malicious emails carrying Jaff are being cranked out at a rate of 5 million an hour on Thursday, or 13 million in total at the time it wrote up a blog post about the new threat.
Carl Leonard, principal security analyst for Forcepoint, commented: "It's unclear if Jaff's links with Locky extend beyond the visual structure of the URLs and documents employed. What is clear given the 13+ million messages sent is that the actors behind the campaign have expended significant resources on making such a grand entrance."
It's early days but few infections from the ransomware have been detected thus far. MalwareHunterTeam says it has identified just two victims.
The sprawling Necurs botnet went dormant around the start of the year before returning to spread Locky and more recently a pump-and-dump stock price scam. It's unclear if this week's switch to Jaff will be sustained but this likely depends on the success of the ransomware's "opening run".
The Jaff ransomware was first identified by security researcher S!Ri. ®