Jaff ransomware, the latest in malware offerings from the murky depths of the dark web, has been linked to a Russian dark web marketplace by security researchers at Heimdal Security.
The powerful ransomware was connected to the backend setup of what the investigators dubbed a “seemingly refined” darknet marketplace that specializes in the sale of stolen bank information and credit card data estimated to be in the “tens of thousands.”
Heimdal Security researchers are convinced that both the Jaff ransomware and the marketplace are run from a server with an IP address in St. Petersburg.
Capabilities of the Jaff Ransomware
Jaff ransomware came into the public eye recently after a recent global email campaign of an unprecedentedly large scale.
Much like the riotous Locky ransomware of 2016, the malware was spread through email as a PDF attachment embedded with Microsoft Word macros that conducted the downloading and execution of malicious code.
The similarities between the two ransomware strains extend to the payment site templates used by both of them.
Although the ransomware was launched around the same time the WannaCry crisis shook the globe, the $300 ransom demanded by the authors of WannaCry looks meager compared to the massive $5,130 (approximately 2BTC) ransom required by Jaff ransomware authors.
The discovery of the links between Jaff ransomware and the Russian dark web marketplace has exposed the diversification of cybercrime as crooks rake in double profits by using the ransomware to collect information as well.
According to the Heimdal Security analysis, the ransomware doesn’t just encrypt its victim’s data; it can also be a very powerful information-harvesting tool.
This advanced business model allows these purportedly Russian cyber-crooks to not only reap a fast buck from their unsuspecting victims but also to double their return on investment using one diversified asset.
Credit card information and bank account credentials have long been monetized on the dark web by niche marketplaces.
However, this particular ransomware’s double-edged approach allows hackers to deploy the age-old ransomware tactic, as well as harvest sensitive user data from their devices without their knowledge.
For the average web user, Jaff ransomware is a serious threat to their information security.
The Long Game
Heimdal Security researcher Andra Zaharia noted with concern that cybercrime is evolving rapidly.
Darknet marketplaces that offer credible stolen information tend to come with high-entry barriers for obvious reasons, but this ransomware-affiliated site seems more lenient about who it caters to.
Her research shows that the marketplace carries listings of credit card details and bank information from around the globe, the majority of which appear to be from the United States, Spain, France, Australia, Canada, New Zealand, Italy and Germany.
The stolen bank account information features details such as the locations of these accounts, email addresses, and the victims’ remaining balance.
All this information is available for purchase even by low-level hackers, according to the security researcher.
Zaharia’ sresearch outlined the evolution of cyber crime, specifically the business model under which these online crooks operate.
It is clear that the modern cybercriminal is more aware of the benefits that come from diversifying assets at the peril of their victims.
The report suggests that the malware economy is growing at a rate that, alarmingly high as it is, doesn’t look like slowing down anytime soon.
A Worrying Trend
Zaharia’s security analysis ends on a worrying note.
According to her conclusion, more and more dark web criminals are realizing the benefits of asset diversification.
While this translates to much more lucrative pickings for online crooks, it spells trouble for companies that will now be forced to deal with the threat of simultaneous data breaches and ransomware attacks.
The business model used by the Russian darknet marketplace could be heralding a much more dangerous era where internet security will be a shadow of what it is now.