Jaff

Description

Jaff is a ransomware family first discovered in May 2017, notable for its distribution via large-scale spam campaigns operated by the Necurs botnet. These campaigns delivered malicious PDF attachments that contained embedded Word documents with macros, which, when enabled, downloaded the ransomware payload. Jaff encrypts victim files using RSA and AES encryption and appends extensions such as .jaff, .wlu, or .sVn depending on the variant. The ransom note, typically named ReadMe.html or ReadMe.bmp, directs victims to a payment site hosted on the Tor network. The ransomware demands payment in Bitcoin and displays a custom payment portal interface. Jaff was initially believed to be linked to the Locky ransomware operators due to similarities in distribution methods, ransom portal design, and its use of Necurs, though later analysis suggested it was operated by a separate group. Its activity was short-lived, with most campaigns ceasing within weeks of its discovery.