Jaff Ransomware

Jaff Ransomware has many common features of malware in the same family. Like most it spreads via malicious spam with a .PDF file attached that links to an embedded Word document. On opening the PDF and attachment, the host opens the document in Microsoft Word.

The victim must enable a macro contained within the Word document which subsequently downloads and executes the Jaff Ransomware. Once the system is infected, the malware then encrypts specific file types on the system which are listed in the Fortinet article. A ransom note is then displayed with instructions to visit a .onion site located on the Tor Network.

For more technical detail and screenshots of the malware, please see the referenced Fortinet blog post.

Indicators of Compromise


Detection: W32/Jaff.ED11!tr.ransom

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: