Hackers behind a new ransomware giving away free decryption key to victims who infect others
The ransomware called Jaff is new on the scene, but spreading quickly iStock

Security experts have warned that a new strain of ransomware – dubbed 'Jaff' – is hitting targets across the globe and demanding 1.79 Bitcoin (£2,780, $3,500) from infected users to unlock their encrypted computer files.

According to Forcepoint Security Lab, a malicious phishing campaign being spread by a notorious botnet called "Necurs" was observed this week (11 May) to be sending up to five million emails per hour. Upon analysis, it shows indications of being linked to the 'Locky' ransomware.

Researchers said the campaign kicked off just before 9am (BST) and peaked at 1pm (BST).

During this period, over 13 million emails were recorded and blocked, the security firm said in a blog post.

A YouTube video posted online demonstrates the malware in action. The campaign had a global scope, mostly focusing on .com domains.

The researchers said it targeted organisations in Ireland, Israel, Belgium, the Netherlands, Italy, Germany, France, Mexico, Australia, Sri Lanka and Peru.

Unlucky for users, it is reportedly capable of offline encryption.

Once infected on a target's computer, the ransom notes are dropped and the desktop background of the system is replaced with a message warning: "Files are encrypted. To decrypt files you need to obtain the private key." It directs to a URL hosted on the dark web, accessable via Tor.

Both Jaff and Locky share the distribution channel of the Necurs botnet and the researchers said the Tor website it directs users to is similar for both strains.

The researchers said: "The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point is the weak point: by potentially reaching so many people, campaigns such as this can – and do – succeed in infecting people.

"It's easy to be dismissive of broad-reach email campaigns such as this and focus on the more 'glamorous' world of spearphishing [but] a broad scope, coupled with low antivirus detection rates at the time of the campaign, once again highlights the necessity of defence-in-depth.

"At the time of writing it is unclear if Jaff's links with Locky extend beyond the visual structure of the URLs and documents employed. What is clear, given the volume of messages sent, is that the actors behind the campaign have expended significant resources on making such a grand entrance.

"With the high ransom value suggesting the perpetrators of this campaign intend to recoup their costs, it would be surprising if Jaff fades from the limelight as suddenly."