An investigation into a new strain of Jaff ransomware uncovered a shared backend infrastructure between the malware and a black market bazaar selling stolen bank and credit card account information.
Researchers at Heimdal Security said the cybercrime marketplace they found appeared mature, offering access to “tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address,” and suspect those behind the Jaff malware and the marketplace are linked.
“As we know, a ransomware attack never stops at just encrypting data. It also harvests as much information as possible about the victim. By combining these informational assets, cyber criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment,” wrote Andra Zaharia, security evangelist.
Jaff has been on researchers’ radar screen a few short weeks, and has been behind a number of large-scale email campaigns each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the ransomware.
While researchers are still learning about Jaff, Cisco Talos said the malware shares some of the same distribution characteristics and C2 communication patterns as Dridex and Locky campaigns.
“We are still gathering data to confirm this, but the hypothesis is that there may be a connection between this batch of stolen data and Dridex. Dridex, Locky and Jaff use the same botnet for distribution (Necurs), which provides a strong hint as to where at least some of the compromised records may be coming from,” said Peter Kruse, founder of CSIS Security Group, who also contributed to the report released Friday.
Those compromised records include user account information for bank accounts primarily located in the United States, Germany, France and Spain.
“What’s more, the shop also includes filters, so the buyer can find the targets with the most lucrative potential,” Zaharia wrote. “Credit card data remains one of the hottest commodities in the malware economy, providing easy access to cash, which cyber criminals can then turn into untraceable Bitcoins.”
Prices for the compromised accounts listed in the marketplace range from under $1 to a few bitcoins, depending on the item.
Both the cybercrime marketplace and the Jaff infrastructure shared similar domains such as http://paysell[.]info, http://paysell[.]net and http://paysell[.]me. The server hosting both Jaff and the black market bazaar backend is located in St. Petersburg, Russia, according to Heimdal Security.
“It can happen that we will see these two models combined, with data breaches becoming accompanied by subsequent ransomware attacks, which would make it a nightmare for companies to deal with,” Zaharia said.