Jaff Ransomware Shares Backend Infrastructure With Darknet Marketplace Selling Stolen Financial Data

Not too long ago, we touched upon the Jaff ransomware. This particular type of malware demands a two-Bitcoin payment from its victims, which is quite a steep price right now. However, it appears there is a lot more to this malicious tool than first assumed. Further research unveils a new strain of Jaff has direct ties to an underground marketplace selling stolen bank accounts and credit cards.

Jaff Ransomware Is More Dangerous Than Assumed At First

Heimdal Security researchers have made a rather disturbing discovery where the Jaff ransomware is concerned. A newer version of this malware shares its backend infrastructure with a Darknet forum where criminals can buy and sell bank accounts and stolen credit cards. This is quite troubling, to say the least, as it goes to show there is a lot more to Jaff than people first assumed. This particular marketplace is home to tens of thousands of compromised bank accounts, credit cards, and other types of financial information.

Most people should be well aware of how a ransomware attack is not just about encrypting files these days. While that is the common component across all types of ransomware these days, these malicious tools are often used to steal information from the victim’s computer as well. In the case of Jaff, it appears harvesting information about the victim is a big part of how it operates. This is a common tactic among cybercriminals these days, as the harvested information can be worth quite a lot of money to the right people.

Even though Jaff has not been around all that long, researchers have expressed their concern over the ransomware already. Particularly where the distribution campaign is concerned, as the developers use large-scale email campaigns to distribute a PDF attachment. Once the user downloads the attachments and opens it, they will see a Microsoft Word document asking for specific macro permissions. Granting these permissions results in the ransomware payload being downloaded in the background.

It is evident there is much more to this new ransomware strain than originally assumed. Now that we know multiple iterations of this malicious software exist, the question is what other types of Jaff may be capable of. It is possible all versions share the data harvesting trait. After all, having a tool to harvest bank accounts and credit cards broadcast that information directly to a darknet marketplace where this information is sold is quite ingenious.

For the time being, security researchers are still in the process of gathering additional data about Jaff to see how all of its tools work exactly. It is also possible this ransomware shares quite a few similarities with Dridex, Locky, and other malicious software using the Necurs botnet for distribution. It is unclear what this means for the link to the darknet marketplace in question, though. There is a lot more to the entire ransomware ecosystem than we know right now, and it is kind of scary to think of what researchers may uncover over the coming months.

Moreover, it appears Jaff and all of the other malicious tools potentially linked to it mainly target victims in the US, Germany, Spain, and France. On the darknet marketplace, buyers can find targets with the “most potential,” which is a very strange feature. It also appears this stolen information is used to gain access to cash, which is then turned into Bitcoin and other cryptocurrencies. This entire investigation won’t give Bitcoin a good name by any means, that much is evident

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.