Jaff ransomware, one of the newest and fast-rising strains, has been sweeping the world in the past month. As it turns out, the operations behind it run much further than malicious data encryption.

While analyzing a recent variant of Jaff, researchers have uncovered that this ransomware type shares server space with a refined cyber crime web store.

As observed in previous campaigns, the Jaff ransomware infection starts with a malicious PDF, which, when opened, prompts the user to click on an additional file, while triggering the infection in the background.

jaff ransomware malicious PDF

By following the trail and digging deeper into cyber criminal infrastructure, researchers discovered the web shop that provides access to tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address.

Malicious hackers can use Bitcoins to purchase stolen credit cards, some of which have already been verified, and compromised accounts on Paypal, Amazon, eBay and many more.

Prices per item vary from under a dollar to several Bitcoins.

cyber crime web shop - 1

Access to the marketplace doesn’t include a vetting process, making the barrier to entry quite low for malicious actors of all kinds.

What’s more, the shop also includes filters, so the buyer can find the targets with the most lucrative potential. For example, the screenshot below shows that the compromised accounts from New Zealand bank ASB listed in the shop total up to $275,241.

Banks from all over the world are listed, ranging from German financial institutions, to US and Australian ones. The highest volume of compromised records appears to originate from these countries: USA, Germany, France, Spain, Canada, Australia, Italy and New Zealand.

cyber crime web shop - 2

Other types of user accounts that include financial data are available as well. Unsuspecting Internet users who have shopped online at Apple, Bed Bath & Beyond, Barnes & Noble, Best Buy,, and many other ecommerce portals can become victims of cyber fraud or other types of malicious activity.

This doesn’t mean that those specific web shops have been compromised. Cyber criminals use a wide range of tactics to get into victims’ accounts, often focusing on breaking weak and/or reused passwords.

cyber crime web shop - 3

Black hat hackers can not only harvest financial data from these accounts, but also use them to make purchases through them.

cyber crime web shop - 4

Credit card data remains one of the hottest commodities in the malware economy, providing easy access to cash, which cyber criminals can then turn into untraceable Bitcoins.

The server used for these criminal operations is located in St. Petersburg, Russia and is hosted on 5.101.66 [.] 85 (sanitized for your protection). The same server is also part of the infrastructure that fuels the Jaff ransomware attacks that have been sweeping across Europe and the rest of the world.

The cyber crime marketplace uses the following domains (sanitized for your protection):


And TOR:


cyber crime web shop jaff ransomware

This discovery shows once more that cyber criminal operations focus on diversifying their assets and revenue channels so they can play an increasingly larger role in the malware economy.

As we know, a ransomware attack never stops at just encrypting data. It also harvests as much information as possible about the victim.

What’s more, some of the largest data breaches in the past years (Target, Home Depot, TJX Companies, etc.) have targeted payment card data, constantly feeding the Dark Web with stolen credentials to be sold and purchased.

The information advantage is an ace that black hat hackers want to own, so they can play it at the right time.

By combining these informational assets, cyber criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment.

It can happen that we will see these two models combined, with data breaches becoming accompanied by subsequent ransomware attacks, which would make it a nightmare for companies to deal with.

The best protection against these attacks, for companies and home users alike, remains proactive security accompanied by at least basic cyber security education.

*This article features cyber intelligence provided by CSIS Security Group researchers.

Ransomware Explained. What It Is and How It Works

Why Malware as a Business is on the Rise

How Automation is Changing Cyber Crime: Exploits as a Service


The Cybercrime and malware attack have been common nowadays and that’s the issue to be taken as a burning topic. We should raise our voice against the cyber crime including the recently invented Pegasus spyware!

Thank for sharing informative blog!

Hey, Nice post about Cyber Security

I like it.Very good information

Really useful article many thanks for your kind words!

Glad to go through your blog with such a piece of helpful information

Provides good information on ransomware. Great Article.

Recently, Facebook has been facing a data privacy scandal. Spotify, Netflix and the Royal Bank of Canada were able to read, write and delete Facebook users’ private messages, and to see everyone on a message thread. Spotify could look at messages of more than 70 million users a month and still lets users share music through Facebook Messenger while Netflix and the Canadian bank have turned off features that incorporated message access. Imagine that?

Using this Online Homepage is a very good idea. This has no any condition and you will get the useful information how to delete search history of bing browser.

Good Read about cyber security & It’s complications.

good article about cyber security

hello good one such beautiful

nice article to share

Really useful article .Thanks! Your efforts are literally admiring.

Hello and many thanks for your kind words!

Leave a Reply

Your email address will not be published. Required fields are marked *