Jaff Ransomware Caught at Georgia-Based MSP

The Network: A Georgia-based IT outsourcing and technology services company that provides managed IT solutions to various companies and restaurants.

The Expectation: Prevention defenses are working (A/V) and monitoring is in place to catch anything that slips through.

The Catch: EventTracker analysts continuously look for threats with regards to their prominence, popularly known as emerging threats.” A delay in A/V signature updates allowed a variant of Jaff ransomware to sneak in. In this case, Jaff ransomware was found to be impacting half a dozen machines in the client environment. This was supported by the evident logs that were found. The Jaff campaign began spewing out emails that pretended to be emails from local copy machines. These SPAM emails contained attachments that include an executable file, which encrypt a victim’s files and append the .sVn, .WLU and .JAFF extension to encrypted file names.

The Find: Half a dozen machines were impacted during the time of catch. Analysts informed the customer right away via phone and email. The SOC analyst caught this by proactively running the rich log search function of EventTracker to check for emerging threats. He was able to get hold of file extensions related to Jaff ransomware with its encrypted extensions. Analysts were able to confirm this immediately since the pattern of ransomware variants of encryption and deletion were observed.  The customer has since confirmed that the systems are now clean, and cited the delay in A/V signature update. Furthermore, the SOC analysts provided a solution to decrypt the files.

The Fix:  Isolate systems in question from network, run an anti-malware and anti-virus scan, re-image and put the systems back online. EventTracker analysts continue monitor the customer environment. Users should be educated to refrain clicking on malicious mails, disabling macros, and should check for folders with .WLU or .JAFF extension based files. Make sure to keep A/V updates current.