Jaff Ransomware fixed to Extensive Data Harvesting Operation
Jaff, a ransomware family that emerged on May 12, the same day WannaCry did, appears linked to wider operations, as a recent sample was found to share server space with a refined cybercrime marketplace, Heimdal Security alerts.
Distributed via PDF documents attached to spam e-mail sent by the Necurs botnet, Jaff was already said to have recently been operated by the group behind Locky and Dridex, which also released the Bart ransomware recently.
Heimdal Security has said Jaff shares server space with a cyber crime web shop that offers usage of tens of thousands of affected bank accounts, along with information on their balance, location, and attached current email address.
The marketplace also allows cyber criminals to acquire stolen credit cards (some already verified), along with compromised documents on PayPal, Amazon, eBay, and other online services. Some of the items sell for less than a dollar, while some are charged at several Bitcoins, the researchers say.
The marketplace doesn’t vet users, so this means that all kinds of malicious actors have gain access to the stolen goods.
The marketplace lists finance institutions from all around the world, with almost all of the compromised accounts seemingly coming from the U. S., Germany, France, Spain, Canada, Australia, Italy and New Zealand.
The marketplace also sells other types of user accounts including financial data, such as those pertaining to portals like Apple, Bed Bath & Beyond, Barnes & Noble, Best Buy, Booking. com, Asos. com, and other e-commerce services.
“This does not signify those specific web shops have been affected. Cybercriminals use a variety of tactics to get into victims’ accounts, often centering on breaking weak and reused passwords, ” Heimdal Security missionary Andra Zaharia notes.
The hackers are able to use these accounts to make fraudulent purchases or to harvest financial information relevant to humans especially their owners. With access to stolen Visa or MasterCard data, cyber criminals can enjoy quick access to cash that then can be turned into untraceable Bitcoins.
According to Heimdal Security, the server this marketplace is hosted on is positioned in St. Petersburg, Russia, at IP 5. 101. 66 [. ] 85. “The same server is also part of the framework that fuels the Jaff ransomware attacks which may have recently been sweeping across Europe and the rest of the world, ” Zakaria says.
Both the cybercrime marketplace and the Jaff infrastructure shared similar domains such as http://paysell[.]info, http://paysell[.]net and http://paysell[.]me. The server hosting both Jaff and the black market bazaar backend is located in St. Petersburg, Russia, according to Heimdal Security.
Ransomware attacks often also aim at robbing all the user information as possible, but there doesn’t appear to be evidence that the thieved credentials available on this cybercrime marketplace were exfiltrated using Jaff.
In reality, Heimdal couldn’t present to SecurityWeek information how the lost data might have recently been acquired. Some possible details, nevertheless, include the use of various malware, or the exploit of a large number of a certificate that emerged online previous year within major data breaches affecting popular online platforms.