add jaff Ransomware

clusters/ransomware.json

@@ -8120,7 +8120,28 @@
           ".vxLock"
         ]
       }
-    }
+    },
+    {
+      "value": "Jaff",
+      "description": "We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.",
+      "meta": {
+        "extensions": [
+          ".jaff"
+        ],
+        "encryption": "AES",
+        "ransomnotes": [
+          "WallpapeR.bmp",
+          "ReadMe.bmp",
+          "ReadMe.html",
+          "ReadMe.txt"
+        ],
+        "refs": [
+          "http://blog.talosintelligence.com/2017/05/jaff-ransomware.html",
+          "https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/"
+        ]
+      }
+    },
+
   ],
   "source": "Various",
   "uuid": "10cf658b-5d32-4c4b-bb32-61760a640372",