There is yet another ransomware on the block, but contrary to the many copycats out there this one appears to be more serious and widespread since it is part of the Necurs spam campaigns.
Originally identified by security researcher S!Ri, the Jaff ransomware looks very identical to Locky in many ways: same distribution via the Necurs botnet, same PDF that opens up a Word document with a macro, and also similar payment page.
However, this is where the comparison ends, since the code base is different as well as the ransom itself. Jaff asks for an astounding 2 BTC, which is about $3,700 at the time of writing.
Malwarebytes users are already protected against this ransomware thanks to our multi-layer defense. In the diagram below we show how the threat can be blocked via each of our protection modules (in a typical scenario, the threat would be stopped at the first layer which is the Application Behavior Protection):
In the meantime, the return of Locky after a short hiatus has not been as big as anticipated. The appearance of the Jaff ransomware may also take away some market shares from it.