Since Thursday, May 11, the media has been preoccupied by an unprecedented series of cyber attacks that have crippled companies worldwide. However, it has gone largely unnoticed that these are in fact two very separate waves of attacks.
The first wave, Wannacry, has already infected nearly 210,000 machines in 99 countries. It has been the primary recipient of most of the press coverage and is primarily propagating as a worm.
The second attack is also massive but has been largely ignored by many press accounts. This is a variant of the famous Locky malware, called Jaff, and it is being primarily distributed by email.
Over 48 hours on May 11 and 12, Vade Secure blocked more than 630,000 emails containing the Jaff ransomware.
Georges Lotigier, CEO of Vade Secure, commented: “Ransomware is back in the spotlight again with a significant global impact. However, there is some good news. According to our estimates, the ransomware Wannacry has only generated about $35,000 for its designers. Most companies have not paid up.”
Technical evangelist Sébastien Gest summarizes what Vade Secure has seen of these attacks from the viewpoint of its 24/7 threat centers that monitor 400 million email boxes worldwide.
The attack of the Jaff ransomware was detected on Thursday, May 11. Within 48 hours, the Vade Secure filter detected 633,920 emails containing the Jaff ransomware. This ransomware uses a .docm file itself embedded in a PDF file. When the docm file is opened, a macro downloads the malicious payload and starts the encryption of the infected machine. According to our analysis, the similarities of Jaff with Locky are numerous, and it is essentially a mutation of Locky malware that has been reengineered to get past email filters.
Jaff uses email as its primary propagation vector. Vade Secure successfully blocks this attack, but many email filters did not catch it in the first 48 hours of the attack.
The Jaff attacks follow the same process in encrypting files and demanding payment as Locky. Each malicious email contains a “clean” PDF that then downloads a MS Word document that in turn utilizes a macro to download and activate the main ransomware payload. This process can fool most email filters to allow it through unless they have a specific file signature that they can blacklist.
“Wannacry” (Initially Called Ransom.CryptXXX)
Following the analysis of our teams, we cannot say with certainty if the initial propagation vector of the ransomware Wannacry was email or if it is being distributed in this fashion as a second wave.
According to our observations, the first wave seems to have used a flaw of the Windows SMB protocol in its version v1. Some confusion on the malwa