back to article 'Jaff' argh snakes: 5m emails/hour ransomware floods inboxes

The Necurs botnet has been harnessed to fling a new strain of ransomware dubbed "Jaff". Jaff spreads in a similar way to the infamous file-encrypting malware Locky and even uses the same payment site template, but is nonetheless a different monster. Attached to dangerous emails is an infectious PDF containing an embedded DOCM …

  1. Version 1.0 Silver badge

    PDF for best results

    If you want to hit businesses then PDF attachments are the best route. I guess it's time to go back to ASCII text for email and ban attachments altogether.

    "I would like to shake the hand of the man who first decided that e-mail clients should slice, dice and run arbitrary programs. Then I'd like to stir, blend and puree his hand." - sigmonster quote from the Monastery

    1. Stoneshop Silver badge
      Facepalm

      Re: PDF for best results

      Please download and open http://bit.ly/wDG62p8 * . Enclosed are instructions for paying your outstanding debit regarding blahblahwaffle.

      Which people will still blindly do.

      * actually http://hax0redsite.biz/innocuous/directory/invoice.pdf

    2. bombastic bob Silver badge
      Devil

      Re: PDF for best results

      I'd expect that using evince to read PDFs (rather than 'Adobe something') would mitigate the problem

  2. David Shaw
    Coat

    If you want to help scientifically test email providers for security/etc

    https://mesa.jrc.ec.europa

    (I don't get to see any of the logs, so it's quite a safe test)

    It showed me that one of my email services was open to fraud/spam, and that two of them were probably ok!

    1. anothercynic Silver badge

      Re: If you want to help scientifically test email providers for security/etc

      You're missing the .eu at the end. It's mesa.jrc.ec.europa.eu.

      :-)

      1. David Shaw

        Re: If you want to help scientifically test email providers for security/etc

        thanks aCynic , yes canonically the email provider test is at mesa.jrc.ec.europa.eu (why we need three 'europes' in the URL is beyond me!)

        a typical result is here

        STARTTLS CERTIFICATE SPF DKIM DMARC DANE DNSSEC

        100 50 100 100 100 0 0

        which ended up providing 'minimum security' - all weird & wonderful providers welcome

  3. Herby

    Law enforcement??

    Absent! When will they get serious about this and go after these guys. I'm sure that if it hit some law enforcement facility they might, but as of now I don't see any action.

    (*SIGH*)

    1. Richard 12 Silver badge

      Re: Law enforcement??

      Probably waiting until a national health service or a telecommunications provider gets hit.

      Oh.

    2. Boris the Cockroach Silver badge
      FAIL

      Re: Law enforcement??

      Nope wont even be those

      Until a major bank is hit and money siphoned out of rich political donators accounts, nothing will be done....

      1. Alistair
        Windows

        Re: Law enforcement??

        "Until a major bank is rich political donators are hit and money siphoned out of rich political donators accounts Major Banks' account, nothing will be done....

        FTFY.

        1. Anonymous Coward
          Anonymous Coward

          Re: Law enforcement??

          Well...then let us pray for Kochs'.

          1. Chairman of the Bored

            Re: Law enforcement??

            If it's a DDoS attack do I get to call it Koch blocking? Just askin'

    3. Anonymous Coward
      Anonymous Coward

      Re: Law enforcement??

      "When will they get serious about this and go after these guys. I'm sure that if it hit some law enforcement facility they might, but as of now I don't see any action."

      The 'law enforcement' types are too busy misleading the press on how illegal Kodi is. Where's the income opportunity in going after actual criminals like the ones we read about in this latest exploit?

  4. Mage Silver badge
    Facepalm

    Training and decent IT

    Nothing unusual about spam based ransomware

    " Forcepoint Security Labs reports that malicious emails carrying Jaff are being cranked out at a rate of 5 million an hour on Thursday"

    "The sprawling Necurs botnet went dormant around the start of the year before returning to spread Locky and more recently a pump-and-dump stock price scam. It's unclear if this week's switch to Jaff will be sustained but this likely depends on the success of the ransomware's "opening run"

    The one that was opened in various NHS trusts just had the added "spread by network share bug" uncovered by NSA.

    People are not only clicking on link or opening attachments, but ALSO at LEAST once clicking on OK.

    Patches can be good (sometimes bad), but Training and decent IT, almost all the time is the best solution.

    Mitigation:

    1) Don't click on links or open attachments in email ever, unless expecting them. Hover mouse on links to see where they really go. (Training)

    2) Switch off/disable/uninstall all services not used

    3) Use properly configured on premises mail server appliance (free linux box and open source POP/SMTP/IMAP no need for Windows Server + Exchange) if more than three users. Mostly strip/textualise links and quarenteen attachments.

    4) Only open document attachments with software that can't run macros or Active X or VBS

    2 to 4 are basic IT skills. Most MCSE/MCP courses are useless. I was an MCP with over 80% score in four MCSEs. They are rubbish. Microsoft marketing.

  5. Wensleydale Cheese

    "Most MCSE/MCP courses are useless. I was an MCP with over 80% score in four MCSEs. They are rubbish. Microsoft marketing."

    They are Microsoft Marketing.

    There, FTFY.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021