Jaff Ransomware Caught at Georgia-based MSP

The Network: A Georgia-based IT outsourcing and technology services company that provides managed IT solutions to various companies and restaurants.

The Expectation: Prevention defenses are working. Anti-Virus and monitoring is in place to catch anything that slips through.

The Catch: Netsurion’s SOC analysts continuously look for threats with regards to their prominence, popularly known as emerging threats.” A delay in Anti-Virus signature updates allowed a variant of Jaff ransomware to sneak in. In this case, Jaff ransomware was found to be impacting machines in the client environment. This was supported by the evident logs that were found. The Jaff campaign began spewing out emails that pretended to be emails from local copy machines. These SPAM emails contained attachments that include an executable file, which encrypt a victim’s files and append the .sVn, .WLU and .JAFF extension to encrypted file names.

The Find: Half a dozen machines were impacted during the time of catch. Analysts informed the customer right away via phone and email. Netsurion’s SOC analyst caught this by proactively running the rich log search function of EventTracker to check for emerging threats. He was able to get hold of file extensions related to Jaff ransomware with its encrypted extensions. Analysts were able to confirm this immediately since the pattern of ransomware variants of encryption and deletion were observed. The customer has since confirmed that the systems are now clean, and cited the delay in A/V signature update. Furthermore, the SOC analysts provided remediation recommendations on decrypting the files.

The Fix: Isolate systems in question from network, run an Anti-Malware and Anti-Virus scan, re-image and put the systems back online. Netsurion’s SOC analysts continue to monitor the customer environment for variants and re-infection. Users should be educated to refrain clicking on malicious phishing emails, disabling macros, and should check for folders with .WLU or .JAFF extension based files. Make sure to keep Anti-Virus updates current.