Jaff Ransomware has many common features of malware in the same family. Like most it spreads via malicious spam with a .PDF file attached that links to an embedded Word document. On opening the PDF and attachment, the host opens the document in Microsoft Word.

The victim must enable a macro contained within the Word document which subsequently downloads and executes the Jaff Ransomware. Once the system is infected, the malware then encrypts specific file types on the system which are listed in the Fortinet article. A ransom note is then displayed with instructions to visit a .onion site located on the Tor Network.

For more technical detail and screenshots of the malware, please see the referenced Fortinet blog post.

Indicators of Compromise

387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092

Detection: W32/Jaff.ED11!tr.ransom