Symantec has observed the Necurs botnet sending out the JAFF Ransomware in its latest attacks. We have seen high volume counts of these attacks being blocked since May 11th in the .Cloud infrastructure. The emails observed contain subject and body content related to a recent scan, copy, document or invoice. The emails also contain a malicious PDF attachment.
The PDF is crafted so that once opened the end user will be asked to open the embedded doc file. This embedded doc file contains malicious macros inside of it, that if executed will download and install the JAFF Ransomware.
Symantec Endpoint and .Cloud Products are blocking these emails as: · Trojan.Pidief · Trojan.Mdropper · W97M.Downloader
The JAFF payload is being detected as:
·         Ransom.Enciphered
 
         
    
            We’ll find your subscription and send you a link to login to manage your preferences.
We’ve found your existing subscription and have emailed you a secure link to manage your preferences.
 
         
    
            We’ll use your email to save your preferences so you can update them later.
Subscribe to other services using the bell icon on the subscribe button on the status page.
You’ll no long receive any status updates from Broadcom Service Status, are you sure?
{{ error }}
We’ll no longer send you any status updates about Broadcom Service Status.