ReSec Halts Jaff Ransomware

The world no sooner recovered from the WannaCry ransomware attack that affected 300,000 endpoints, when a related attack began to ravage the user community. ReSec and our clients encountered the new threat – and prevented it.

Less than one week after WannaCry’s zero-day surprise, one of our customers received a message that ReSec’s protection system had blocked a certain email which contained, for all he knew, an invoice. Not knowing whether it was safe to retrieve the original copy of the email, he turned to us for guidance.
Before most of the world reported on the attack, we checked it out.

The email in question contained a PDF file which, at first glance, looked like a regular invoice. However, this particular PDF contained an embedded Word document. Users were asked to open the PDF attachment, and when they do, the file executes the Word document that releases a series of macro commands to install malware on the machine. Once installed, the malware began to communicate with its C&C.

As it turns out, this was a new type of ransomware titled jaff. Receiving far less attention than May 12th’s WannaCry, this particular ransomware strain is at least as lethal, demonstrating characteristics that resemble other known and dangerous ransomware such as Locky and Dridex. The senders of this particular attack demanded ransom of $3,000 in bitcoin.

What was remarkable about this attack was how well it managed to evade commercially popular antivirus engines. In fact, in our tests, only 8 of 65 such engines identified and blocked it! That’s only a 12% success rate! None of those was even in the top five of the most popular AVs!
Many users who thought they were protected were alarmed to see this appear on their screens:

Forgiving the bad spelling, we have to admit that the payload was potent. Across the world, files were indeed encrypted and there is no known way to decrypt them. Bitcoins, anybody?
The AV world now knows how to prevent jaff, but what about the next one?

What you need to do

In spite of the growing attention toward cybercrime, most organizations today – especially small and medium businesses – still rely heavily on antivirus and other signature-based detection technologies. Antivirus systems are not the end-all, be-all of protection. As I have just explained, antivirus systems are unreliable when it comes to stopping zero-day malware. Yes, it’s important to arm endpoints with AVs at all times, but they must be viewed as add-on solutions, not a complete protection suite. The new generation of ransomware attacks know how to bypass AVs, and they are getting smarter! To rely on AVs means to be exposed.

Every file is a potential threat

When ReSec offers our Content Disarm and Reconstruction (CDR) solution, we bundle multiple AV engines into it. This way, our customers are covered against known threats. However, we know that isn’t protection enough. What about unknown threats?

Best protection practice is to automatically reconstruct every email and file attachment to be absolutely certain that there is no stealthy malware getting onto your machine, ransomware or otherwise. Reconstruction prevents the file or email from ever getting to your machine and, instead, gives you a clean, fully functioning copy. The potentially infected original is still around (held at bay by ReSec), but not on your network.

Transparent, hassle-free reconstruction is a highly effective weapon in the ransomware wars. Don’t receive emails without it!


About the Author: