Jaff ransomware server also hosting Dark Web PII fencing operation
Jaff ransomware server also hosting Dark Web PII fencing operation

WannaCry ransomware stole most of the headlines in May, but researchers have noted that the operators of Jaff ransomware, which was wreaking havoc at the same time, may have opened an e-commerce site to sell it's stolen information.

Heimdal Security Evangelist Andra Zaharia blogged that a Dark Web department store peddling a variety of personal information is being operated from the same server where Jaff is pushed. Jaff's home server is hosted on 5.101.66 [.] 85 and located in St. Petersburg, Russia, that is also where Zaharia  said the “refined cybercrime web store” can be found. The e-commerce discovery took place while researchers were investigating a new variant of the ransomware.

The store has a treasure trove of stolen consumer data for sale, including compromised bank accounts, stolen credit card information that has been verified as legitimate along with account information for Amazon, PayPal and eBay.

What was particularly interesting to Zaharia was how the ill-gotten gains were so well organized.

“What's more, the shop also includes filters, so the buyer can find the targets with the most lucrative potential. For example, the screenshot below shows that the compromised accounts from New Zealand bank ASB listed in the shop total up to $275,241,” she said.

The fact that Jaff and the Dark Web fencing operation are both located on the same server proves that any money a person business loses when hit with a ransomware attack is just the tip of the iceberg.

“As we know, a ransomware attack never stops at just encrypting data. It also harvests as much information as possible about the victim,” she said, adding this gives them the ability to make a quick score through the ransom payment while creating a long-term money machine by storing and selling all the information gleaned during the ransomware attack.

Starting in early May, Jaff has proliferated at an incredible rate. A typical Jaff attack starts with a phishing email requesting the recipient download a PDF, which when open prompts the person to click on an additional file which drops the malware.

Forcepoint reported that within a four-hour period, the number of Jaff attacks observed by its systems totaled 13 million, with traffic volumes peaking at nearly 5 million attack emails per hour.  Check Point Software Technologies reported that at one point, its global sensors detected an infection rate of approximately 10,000 emails sent per hour. And Cisco Talos reported observing over 100,000 malicious messages over two separate campaigns.

From a volume standpoint this is much larger than WannaCry which infected about 300,000 computers.