Security experts from Heimdal Security discovered that the Jaff ransomware is sharing the backend infrastructure with a black market offering access to thousands of hacked bank accounts, full details about their balance, location and attached email address.The new family of
The new family of Jaff was discovered by Brad Duncan (a security researcher) that has a new design for the ransom note and a new WLU extension for encrypted files. Same to the first variant of Jaff, this new version continues to be spread through spam campaigns that use malicious documents to download infect computer with ransomware.Andra Zaharia (security evangelist) said:
Andra Zaharia (security evangelist) said:
“As we know, a ransomware attack never stops at just encrypting data. It also harvests as much information as possible about the victim. By combining these informational assets, cyber criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment,”
“While analyzing a recent variant of Jaff, researchers have uncovered that this ransomware type shares server space with a refined cyber crime web store.”
Cybercriminals used a server with the IP address “5.101.66.85” which is located in St. Petersburg – Russia, the server is also included in the attack to spread the Jaff ransomware all over the world.
The hackers used the following domains:
http://paysell.info or “.net” or “.me” or “.bz” or “.org” or “.ws”
And TOR network service:
paysellzh4l5lso7.onion
Zaharia said:
“It can happen that we will see these two models combined, with data breaches becoming accompanied by subsequent ransomware attacks, which would make it a nightmare for companies to deal with.”