The Jaff ransomware, one of the newest and fast-rising strains in the category, turns out to be linked to an extensive cybercrime marketplace.
Heimdal Security has uncovered that the operations behind Jaff run much further than malicious data encryption.
The code was first found last month spreading rapidly and infecting millions of targets within just a few days. Jaff has been observed to be nearly identical to Locky in many ways, including using a PDF that opens up a Word document with a macro. It also uses a similar payment page. That said, a big difference is that Jaff is asking for an astounding 2 BTC (about $3,700 at the time of writing)—well above the typical ransom demand.
While analyzing a recent variant of Jaff, Heimdal researchers have uncovered that Jaff shares server space with a refined cybercrime web store that provides access to tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address.
“Malicious hackers can use Bitcoins to purchase stolen credit cards, some of which have already been verified, and compromised accounts on Paypal, Amazon, eBay and many more,” said security evangelist Andra Zaharia, in a security alert. “Prices per item vary from under a dollar to several Bitcoins. Access to the marketplace doesn’t include a vetting process, making the barrier to entry quite low for malicious actors of all kinds.”
The shop also includes filters, so the buyer can find the targets with the most lucrative potential. One search turned up a cache of compromised accounts from New Zealand bank ASB that are listed as being worth up to $275,241.
“Banks from all over the world are listed,” Zaharia said. “Other types of user accounts that include financial data are available as well. Unsuspecting Internet users who have shopped online at Apple, Bed Bath & Beyond, Barnes & Noble, Best Buy, Booking.com, Asos.com and many other ecommerce portals can become victims of cyber fraud or other types of malicious activity.”
It’s likely that what’s on offer has been gathered via weak or re-used passwords, rather than actual compromises of the ecommerce sites themselves.
The server used for these criminal operations is located in St. Petersburg, Russia, and is part of the infrastructure that fuels the Jaff ransomware. The two types of activity together can be especially dangerous.
“By combining these informational assets, cyber-criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment,” Zaharia explained.