DE|EN

Ransom Trojan Jaff in new clothes on the way

Since May 2017, a new variant of the Jaff-Ransomware, published by security experts, has appeared Brad Duncan and Marcelo Rivero was opened. The design for the ransom racketeering was improved And the encrypted files contain the file ending ".wlu"

Linux-Support, Linux-Expert, IT-Security-Expert, Jaff-Ransomware

Like the first version of Jaff, the newly discovered Jaff version is still distributed along the way of the MALSPAM campaigns that use malicious documents and macros to download and install Ransomware. The new version now appears with the title "JAFF DECRYPTOR", and it looks like the "professional" design relaunch is the result of successful campaigns.

The most common concerns are Windows platforms, because the Trojan is targeted at the Word macros and from there, the path to the file system of the computer. Meanwhile, in the meantime, Windows-based computers are regularly infecting the Trojan Jaff like the LKA of Niedersachsen.

The scenario is an encryption of files and the requirement for the decryption code of about 2 Bitcoins, according to current course would correspond to 4,416.00 EUR. Easily earned money for the back men and an expensive fun for all those who are too careless and hasty to react or have not secured themselves.

As mentioned, the wiremakers behind Jaff put on fake e-mails, which have a supposed but not yet settled account in the appendix. Unlike previous campaigns, however, a manipulated PDF file is attached instead of a prepared Word document.

This means, who is deceived by the e-mail has a chance, if he or she is careful. The opening of the PDF file initializes a security warning of the PDF reader, which must first be accepted in order to open the file completely. So far nothing has been compromised. However, if you send the security warning by clicking on "Ok", the Word document will be extracted with the macros and started with Word.However, the victim must also agree to the activation of the macros. Only when this hurdle has been agreed, the infection with Jaff takes place, if an active connection to the Internet exists. Only now is a copy of the Ransomware downloaded to the infected computer and executed on it.

Once the Ransomware is running, it scans your computer for specific types of data and encrypts them with AES encryption. The current list of targeted file extensions is: 

.001, .002, .004, .005, .006, .007, .008, .009, .010, .1cd, .3dm, .3ds, .3fr, .3g2, .3pr, .7ZIP, .MPEG, .aac, .ab4, .accdb, .accde, .accdt, .acd, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .aif, .aiff, .ait, .aoi, .apj, .arw, .as4, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .cad, .cbr, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .css, .csv, .dac, .dat, .db3, .db_journal, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .deb, .der, .des, .design, .dgc, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dsr, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erd, .exf, .fdb, .ffd, .fff, .fhd, .fif, .fla, .flac, .flv, .flvv, .fpx, .fxg, .gif, .gray, .grey, .groups, .gry, .gz, .hbk, .hdd, .hdr, .hpp, .htm, .html, .ibank, .ibd, .ibz, .ico, .ics, .idf, .idx, .iff, .iif, .iiq, .incpas, .indd, .iso, .java, .jnt, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lit, .log, .lua, .m2ts, .m3u, .m4a, .m4p, .m4v, .mapimail, .max, .mbx, .mdb, .mdc, .mdf, .mdi, .mef, .mfw, .mid, .mix, .mkv, .mlb, .mmw, .mny, .moneywell, .mos, .mov, .mp3, .mp4, .mpd, .mpg, .msg, .myd, .ndd, .ndf, .nef, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obd, .obj, .obt, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .ord, .ost, .otg, .oth, .otp, .ots, .ott, .ova, .p12, .p7b, .p7c, .pab, .pages, .par, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .plc, .plus_muhd, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .prn, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .qba, .qbb, .qbm, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .r3d, .raf, .rar, .rat, .raw, .rdb, .rpm, .rtf, .rvt, .rw2, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdf, .sitx, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .swm, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vbox, .vcf, .vdi, .veg, .vhd, .vhdx, .vib, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vsc, .vsd, .wab, .wad, .wallet, .wav, .waw, .wb2, .wbk, .wda, .wma, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xmod, .ycbcra, .zip, .zipx, .zpf 

Currently, it is not possible to decrypt the Jaff Ransomware WLU variant

Unfortunately, it is not possible to decrypt .wlu files which are encrypted free of charge by Jaff Ransomware.
However, you are not protected against this Trojan. Linux and Mac users are here anyway better because there are other security concepts, file systems and above all other system requirements for executable software than Windows.
However, it is generally necessary to make backup copies of the most important data and to set up a concept for day-to-day backups on external data carriers that are dependent on the productive file system after the backup so that no direct access is possible outside the backup process.

This also applies to Linux and Mac users. And above all, one should first think, if one expects an invoice. And an invoice does not mean that you have to react immediately. So there is still time to look at the sender of the mail more closely and maybe ask for a phone call.

So day backups are always the best backup. But even Windows users without backups can breathe more easily if you use the so-called volume shadow copy services (Windows XP and higher). This provides various versions (so-called snapshots) of files and directories within the scope of hard disk space. The setup and procedure at VVS describes this TechNet article in detail.