Symantec has observed the Necurs botnet sending out the JAFF Ransomware in its latest attacks. We have seen high volume counts of these attacks being blocked since May 11th in the .Cloud infrastructure. The emails observed contain subject and body content related to a recent scan, copy, document or invoice. The emails also contain a malicious PDF attachment.

The PDF is crafted so that once opened the end user will be asked to open the embedded doc file. This embedded doc file contains malicious macros inside of it, that if executed will download and install the JAFF Ransomware.

Symantec Endpoint and .Cloud Products are blocking these emails as: · Trojan.Pidief · Trojan.Mdropper · W97M.Downloader

The JAFF payload is being detected as:
· Ransom.Enciphered

Began at:

Affected components