diff --git a/clusters/ransomware.json b/clusters/ransomware.json index 2065d729..0a7e4988 100644 --- a/clusters/ransomware.json +++ b/clusters/ransomware.json @@ -8120,7 +8120,28 @@ ".vxLock" ] } - } + }, + { + "value": "Jaff", + "description": "We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.", + "meta": { + "extensions": [ + ".jaff" + ], + "encryption": "AES", + "ransomnotes": [ + "WallpapeR.bmp", + "ReadMe.bmp", + "ReadMe.html", + "ReadMe.txt" + ], + "refs": [ + "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html", + "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/" + ] + } + }, + ], "source": "Various", "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",