The Hacker News — Cyber Security, Hacking, Technology News

A massive malicious email campaign that stems from the world's largest spam botnet Necurs is spreading a new strain of ransomware at the rate of over 2 million emails per hour and hitting computers across the globe.

The popular malspam botnet Necrus which has previously found distributing Dridex banking trojan, Trickbot banking trojan, Locky ransomware, and Jaff ransomware, has now started spreading a new version of Scarab ransomware.

According to F-Secure, Necurs botnet is the most prominent deliverer of spam emails with five to six million infected hosts online monthly and is responsible for the biggest single malware spam campaigns.

Scarab ransomware is a relatively new ransomware family that was initially spotted by ID Ransomware creator Michael Gillespie in June this year.

Massive Email Campaign Spreads Scarab Ransomware

According to a blog post published by security firm Forcepoint, the massive email campaign spreading Scarab ransomware virus started at approximately 07:30 UTC on 23 November (Thursday) and sent about 12.5 million emails in just six hours.

The Forcepoint researchers said "the majority of the traffic is being sent to the .com top-level domain (TLD). However, this was followed by region-specific TLDs for the United Kingdom, Australia, France, and Germany."

The spam email contains a malicious VBScript downloader compressed with 7zip that pulls down the final payload, with one of these subject lines:

• Scanned from Lexmark
• Scanned from Epson
• Scanned from HP
• Scanned from Canon

As with previous Necurs botnet campaigns, the VBScript contained a number of references to the widely watched series Game of Thrones, like the strings 'Samwell' and 'JohnSnow.'

The final payload is the latest version of Scarab ransomware with no change in filenames, but it appends a new file extension with ".[suupport@protonmail.com].scarab" to the encrypted files.

Once done with the encryption, the ransomware then drops a ransom note with the filename "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" within each affected directory.

The ransom note does not specify the amount being demanded by the criminals; instead, it merely states that "the price depends on how fast you [the victim] write to us."

However, Scarab ransomware offers to decrypt three files for free to prove the decryption will work: "Before paying you can send us up to 3 files for free decryption."

Protection Against Ransomware

To safeguard against such ransomware infection, you should always be suspicious of any uninvited document sent over an email and should never click on links provided in those documents unless verifying the source.

Most importantly, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC in order to always have a tight grip on all your important files and documents.

Moreover, make sure that you run an active anti-virus solution on your system, and always browse the Internet safely.

Hit by Jaff Ransomware? Don't pay the Ransom. You can unlock your files for Free!

Kaspersky Labs has released an updated version 1.21.2.1 of its free ransomware decryption tool, RakhniDecryptor, which can now also decrypt files locked by the Jaff ransomware.

Security researchers at Kaspersky Labs have discovered a weakness in the Jaff ransomware code that makes it possible for victims to unlock their Jaff-infected files for free.

First identified last month, Jaff is relatively new ransomware that's being distributed with the help of 'Necurs botnet' that currently controls over 6 million infected computers worldwide.

Necurs botnet is the same botnet – army of compromised internet connected devices – that was used to distribute Dridex Banking Trojan and Locky ransomware, which also infects users’ machines, encrypt files and then demand a ransom before unlocking them.

Jaff ransomware (Trojan-Ransom.Win32.Jaff) attack is primarily carried out by sending spam emails to millions of users with an attached PDF, which if clicked, opens up an embedded Word document with a malicious macro script to downloads and execute the ransomware.

Once victims download and enable a Word macro associated with the .PDF, the Jaff ransomware gets downloaded onto their computer, encrypting victims files and then demanding a ransom of between 0.5 to 2 Bitcoin (~$1,500 to $5,000 today).

The Jaff attack started on May 12 – the same day when the devastating WannaCry ransomware debuted – by sending spam emails at the speed of 5 Million emails per hour.

How to Use RakhniDecryptor

Kaspersky RakhniDecryptor tool is a lightweight and portable piece of software designed to decrypt files encrypted by several variants of ransomware including Lobzik, Rakhni, Mircop, Crusis and 17 others.

RakhniDecryptor is very easy to use and doesn't require any technical knowledge. Here's the list of simple steps to use this tool:

• Download RakhniDecryptor 1.21.2.1
• Run the RakhniDecryptor.exe file on the infected computer
• Click 'Change parameters' to select the objects to scan (hard drives/removable drives/network drives)
• Click the 'Start Scan' button and then choose the specify path to one of the encrypted files
• The RakhniDecryptor utility will then recover the decryption password to unlock files

How to Protect Yourself From Ransomware Attacks

Whether it's Jaff, Locky, CoinVault, TeslaCrypt, or any other ransomware, the protection measures are standard.

To safeguard against ransomware infections, you should always be suspicious of uninvited documents sent in an email and never click on links inside those documents unless verifying their source.

Check if macros are disabled in your MS Office apps. If not, block macros from running in MS Office files from the Internet. In enterprises, your system administrators can set the default setting for macros.

In order to always have a tight grip on all your important documents, keep a good backup routine in place that makes copies of your files to an external storage device which is not always connected to your PC.

Moreover, make sure that you run an active anti-virus security suite of tools on your system and keep them up-to-date, and most importantly, always browse the Internet safely.

A massive malicious email campaign that stems from the Necurs botnet is spreading a new ransomware at the rate of 5 million emails per hour and hitting computers across the globe.

Dubbed "Jaff," the new file-encrypting ransomware is very similar to the infamous Locky ransomware in many ways, but it is demanding 1.79 Bitcoins (approx $3,150), which much higher than Locky, to unlock the encrypted files on an infected computer.

According to security researchers at Forcepoint Security Lab, Jaff ransomware, written in C programming language, is being distributed with the help of Necurs botnet that currently controls over 6 million infected computers worldwide.

Necurs botnet is sending emails to millions of users with an attached PDF document, which if clicked, opens up an embedded Word document with a malicious macro script to downloads and execute the Jaff ransomware, Malwarebytes says.

Jaff is Spreading at the Rate of 5 Million per Hour

The malicious email campaign started on Thursday morning at 9 am and had peaked by 1 pm, and its system recorded and blocked more than 13 million emails during that period – that's 5 Million emails per an hour.

"Jaff targets 423 file extensions. It is capable of offline encryption without dependency on a command and control server. Once a file is encrypted, the '.jaff' file extension is appended," Forcepoint says.

The ransomware then drops a ransom note in every affected folder while the desktop background of the infected computer is also replaced.

The ransom note tells victims that their files are encrypted, but doesn’t ask them for any payments; instead, it urges victims to visit a payment portal located on a Tor site, which is accessible via Tor Browser, in order to get decrypt their important files.

Once victims install Tor Browser and visit the secret site, there they are then asked for an astounding 1.79 BTC (about $3,150).
Separate research conducted by Proofpoint researchers indicated that the Jaff ransomware could be the work of the same cybercriminal gang behind Locky, Dridex, and Bart.

The security company said that the Raff ransomware campaign had affected users globally with primarily victim organizations in the United Kingdom and the United States, as well as Ireland, Belgium, Italy, Germany, the Netherlands, France, Mexico and Australia.

Massive Ransomware Attack Uses NSA's Windows Exploit

In separate news, another massive fast-spreading ransomware campaign is targeting computers at Hospitals, Banks, Telecom and Organisations across the globe today.

The ransomware, known as WanaCypt0r or WannaCry, is using NSA's Windows exploit, EternalBlue, which was leaked by Shadow Brokers hacking group over a month ago.

Within just hours this cyber attack has infected more than 60,000 computers in 74 countries.

How can you Protect yourself from the Jaff Ransomware?

To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.

Check if macros are disabled in your Microsoft Office applications. If not, block macros from running in Office files from the Internet. In enterprises, your system admin can set the default setting for macros.

To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.

Moreover, make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.