Jaff - New Ransomware From the Actors Behind the Distribution of Dridex, Locky, and Bart
Jaff ransomware makes entries in the Windows Registry to achieve a form of persistence, and even launch and repress processes inside the Windows Operating System. Some of these entries are designed in a way that will start the virus automatically with every launch of Windows. One registry entry reported to be implemented by this ransomware is the following:
→HKCU\Control Panel\Desktop\Wallpaper “C:\ProgramData\Rondo\WallpapeR.bmp”
The ransom note will be displayed after the encryption process is complete. It will be put in three identical files which are ReadMe.bmp, ReadMe.html and ReadMe.txt. Inside them there will be instructions.
Jaff Ransomware Indicators of Compromise (IOCs) IOC IOC Type Description