A new variant of the Jaff ransomware was discovered by security researchers Brad Duncan & Marcelo Rivero that includes an updated design for the ransom note and the new WLU extension for encrypted files. Like the first variant of Jaff, this new version continues to be distributed through MALSPAM campaigns that utilize malicious documents and macros to download and install the ransomware.
For those who are infected, or just wish to discuss the Jaff ransomware, you can do so in our dedicated Jaff Ransomware Help & Support Topic.
With this new WLU version, Jaff started using a new design for its ransom note and name for its decryption service. In the previous version, the ransom note was titled "jaff decryptor system" and contained a blank amateurish ransom note whose CSS & HTML was a mess.
This new version is now titled "JAFF DECRYPTOR" and definitely looks like they dedicated some time to it. Unfortunately, as the Jaff developers are now releasing new versions and updating their design to appear more "professional", it may indicate that their previous campaigns have been successful. With that said, we can expect to see more updates in the future.
The new Jaff campaign is being distributed through emails that pretend to be invoices for the recipient. These emails will have subjects such as Copy of Invoice 99483713 or Invoice(58-0710), where the number is random and they contain a malicious PDF attachment. You can see an example of one of these emails below.
When a victim opens up the PDF attachment, depending on the PDF reader installed, a prompt to open an embedded Word document will be displayed.
If the victim opens the Word doc, they will be presented with the standard Enable Security and Enable Content prompts in order to enable the macros embedded in the document.
Once the user clicks on Enable Content, the macros will be executed and will download a copy of the ransomware and execute it. You can see an example of the macros below.
Once the ransomware is executed, it will scan your computer for targeted file types and encrypt them using AES encryption. The current list of targeted file extensions is:
.001, .002, .004, .005, .006, .007, .008, .009, .010, .1cd, .3dm, .3ds, .3fr, .3g2, .3pr, .7ZIP, .MPEG, .aac, .ab4, .accdb, .accde, .accdt, .acd, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .aif, .aiff, .ait, .aoi, .apj, .arw, .as4, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .cad, .cbr, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .css, .csv, .dac, .dat, .db3, .db_journal, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .deb, .der, .des, .design, .dgc, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dsr, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erd, .exf, .fdb, .ffd, .fff, .fhd, .fif, .fla, .flac, .flv, .flvv, .fpx, .fxg, .gif, .gray, .grey, .groups, .gry, .gz, .hbk, .hdd, .hdr, .hpp, .htm, .html, .ibank, .ibd, .ibz, .ico, .ics, .idf, .idx, .iff, .iif, .iiq, .incpas, .indd, .iso, .java, .jnt, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lit, .log, .lua, .m2ts, .m3u, .m4a, .m4p, .m4v, .mapimail, .max, .mbx, .mdb, .mdc, .mdf, .mdi, .mef, .mfw, .mid, .mix, .mkv, .mlb, .mmw, .mny, .moneywell, .mos, .mov, .mp3, .mp4, .mpd, .mpg, .msg, .myd, .ndd, .ndf, .nef, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obd, .obj, .obt, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .ord, .ost, .otg, .oth, .otp, .ots, .ott, .ova, .p12, .p7b, .p7c, .pab, .pages, .par, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .plc, .plus_muhd, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .prn, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .qba, .qbb, .qbm, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .r3d, .raf, .rar, .rat, .raw, .rdb, .rpm, .rtf, .rvt, .rw2, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdf, .sitx, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .swm, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vbox, .vcf, .vdi, .veg, .vhd, .vhdx, .vib, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vsc, .vsd, .wab, .wad, .wallet, .wav, .waw, .wb2, .wbk, .wda, .wma, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xmod, .ycbcra, .zip, .zipx, .zpf
When encrypting a file it will append the .wlu extension to the encrypted file's name.
Unfortunately, it is not possible to decrypt .wlu files encrypted by the Jaff Ransomware for free.
The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. If you are unable to restore your files from a backup, I always suggest that victims try and restore their files from Shadow Volume Copies to be safe. A guide on how to do this can be found in the How to recover files and folders using Shadow Volume Copies article.
As always, if you need assistance with this ransomware or its removal, you can ask for help in our dedicated Jaff Ransomware Help & Support Topic.
See Brad's SANS Diary for a full list of hashes
Jaff WLU Ransom Note:
///////////////////////////////////////////////////////////////////////////////// Files are encrypted! To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet. 1. You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en 2. After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ Follow the instruction on the website. Your decrypt ID: 1111111111 //////////////////////////////////////////////////////////////////////////////
Files associated with the WLU Jaff Ransomware Variant:
README_TO_DECRYPTl.txt README_TO_DECRYPTl.bmp README_TO_DECRYPT.html