SafeBreach Labs has updated the Hacker’s Playbook™ with simulations for JAFF Ransomware. Customers can use these simulations to safely test their security controls against the specific tactics and techniques used in this campaign.
The JAFF ransomware is distributed via the Necurs Botnet, which leverages spam email to distribute a malicious .PDF file. Opening this file executes a Microsoft Word document that contains a malicious macro, which downloads the actual JAFF ransomware resulting in data encryption.
To assess security control effectiveness against JAFF, the SafeBreach Continuous Security Validation Platform specifically tests the following endpoint and network security controls:
Playbook #1301 – Initial download via HTTP/S
- Network Intrusion Detection Systems – Is the initial C2 communication and download of JAFF malware being stopped?
Playbook # 1302 – Writing malware to disk
- Host/Endpoint security and antivirus – Does your endpoint security/antivirus product prevent the first phase of local installation of the JAFF ransomware?
Playbook # 1303 – Writing malware to disk
- Host/Endpoint security and antivirus – Does your endpoint security/antivirus product prevent the first phase of local installation of the Malicious document file, that contains the macro that downloads and executes the JAFF Malware?
Playbook #1304 Transfer via HTTP/S
- Internal network controls – Is the internal transfer of initial droppers being stopped between hosts?
In addition to these JAFF specific methods, customers can test security control effectiveness against other malware distributed via the Necurs Botnet, such as Locky and Dridex, with the existing playbook methods: #275, #310, #358, #578, #710, and #954.
The SafeBreach Hacker’s Playbook™ of breach methods simulates these breach scenarios, and thousands more, without impacting users or infrastructure. Breach methods are constantly updated by SafeBreach Labs, our team of offensive security researchers, to help keep customers ahead of attacks.
In order to search, view or list the contents of a specific playbook ID within SafeBreach Platform, please follow this support KB article.