Security Alert: Jaff Ransomware Operation Tied to Cyber Crime Marketplace
Cyber criminal infrastructure reveals compromised accounts put up for sale
Jaff ransomware, one of the newest and fast-rising strains, has been sweeping the world in the past month. As it turns out, the operations behind it run much further than malicious data encryption.
While analyzing a recent variant of Jaff, researchers have uncovered that this ransomware type shares server space with a refined cyber crime web store.
As observed in previous campaigns, the Jaff ransomware infection starts with a malicious PDF, which, when opened, prompts the user to click on an additional file, while triggering the infection in the background.
By following the trail and digging deeper into cyber criminal infrastructure, researchers discovered the web shop that provides access to tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address.
Malicious hackers can use Bitcoins to purchase stolen credit cards, some of which have already been verified, and compromised accounts on Paypal, Amazon, eBay and many more.
Prices per item vary from under a dollar to several Bitcoins.
Access to the marketplace doesn’t include a vetting process, making the barrier to entry quite low for malicious actors of all kinds.
What’s more, the shop also includes filters, so the buyer can find the targets with the most lucrative potential. For example, the screenshot below shows that the compromised accounts from New Zealand bank ASB listed in the shop total up to $275,241.
Banks from all over the world are listed, ranging from German financial institutions, to US and Australian ones. The highest volume of compromised records appears to originate from these countries: USA, Germany, France, Spain, Canada, Australia, Italy and New Zealand.
Other types of user accounts that include financial data are available as well. Unsuspecting Internet users who have shopped online at Apple, Bed Bath & Beyond, Barnes & Noble, Best Buy, Booking.com, Asos.com and many other ecommerce portals can become victims of cyber fraud or other types of malicious activity.
This doesn’t mean that those specific web shops have been compromised. Cyber criminals use a wide range of tactics to get into victims’ accounts, often focusing on breaking weak and/or reused passwords.
Black hat hackers can not only harvest financial data from these accounts, but also use them to make purchases through them.
Credit card data remains one of the hottest commodities in the malware economy, providing easy access to cash, which cyber criminals can then turn into untraceable Bitcoins.
The server used for these criminal operations is located in St. Petersburg, Russia and is hosted on 5.101.66 [.] 85 (sanitized for your protection). The same server is also part of the infrastructure that fuels the Jaff ransomware attacks that have been sweeping across Europe and the rest of the world.
The cyber crime marketplace uses the following domains (sanitized for your protection):
This discovery shows once more that cyber criminal operations focus on diversifying their assets and revenue channels so they can play an increasingly larger role in the malware economy.
As we know, a ransomware attack never stops at just encrypting data. It also harvests as much information as possible about the victim.
What’s more, some of the largest data breaches in the past years (Target, Home Depot, TJX Companies, etc.) have targeted payment card data, constantly feeding the Dark Web with stolen credentials to be sold and purchased.
The information advantage is an ace that black hat hackers want to own, so they can play it at the right time.
By combining these informational assets, cyber criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment.
It can happen that we will see these two models combined, with data breaches becoming accompanied by subsequent ransomware attacks, which would make it a nightmare for companies to deal with.
The best protection against these attacks, for companies and home users alike, remains proactive security accompanied by at least basic cyber security education.
*This article features cyber intelligence provided by CSIS Security Group researchers.