Skip to content ↓ | Skip to navigation ↓

An ongoing Jaff ransomware campaign shares ties with a dark web store that specializes in digital crime.

Jaff has been around since at least early May 2017 and has undergone at least one update since then. Even so, the finer details of its infection flow haven’t changed much in that span of time. Users receive an email with a malicious PDF attachment. If they open it, the PDF prompts them to open a Word document containing malicious macros. Enabling this content causes the ransomware payload to execute and encrypt the user’s data.

Partial Jaff infection flow. (Source: Heimdal Security)

Those who created Jaff rely on a server hosted on 5.101.66 [.] 85 and located in St. Petersburg, Russia. As it turns it out, this server doesn’t just fuel ransomware attacks in Europe and the rest of the world. Andra Zaharia, a security evangelist at Heimdal Security, explains it also powers an underground web marketplace for criminals:

“By following the trail and digging deeper into cyber criminal infrastructure, researchers discovered the web shop that provides access to tens of thousands of compromised bank accounts, complete with details about their balance, location and attached email address.

“Malicious hackers can use Bitcoins to purchase stolen credit cards, some of which have already been verified, and compromised accounts on Paypal, Amazon, eBay and many more.”

Screenshot of dark web marketplace. (Source: Heimdal Security)

Members of the dark web store can use the stolen cards and compromised accounts they purchase to harvest additional data via targeted attacks. They can then monetize this information on similar underground forums. Alternatively, they can leverage the advertised financial data to make fraudulent purchases.

The digital crime marketplace is available at the following domains:


Map of assets connected to 5.101.66 [.] 85. (Source: Heimal Security)
Zaharia is concerned by the fact that “PaySell” and Jaff ransomware share server space:

“By combining these informational assets, cyber criminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment.

“It can happen that we will see these two models combined, with data breaches becoming accompanied by subsequent ransomware attacks, which would make it a nightmare for companies to deal with.”

Needless to say, companies are responsible for implementing security awareness training among its employees and other technical safeguards to protect their customers’ information. At the same time, individual users should keep their systems up-to-date, avoid suspicious links and email attachments, back up their data on a regular basis, use strong passwords with each web account, and enable two-factor authentication (2FA) on each of their accounts if the providing service offers that feature. In the event users suffer a ransomware infection, they should try to avoid paying the ransom and follow these steps.