Breach Monitoring News Feed

Insane is a relatively obscure ransomware family first reported in late 2021, with few confirmed incidents in public threat intelligence. It encrypts victim files using symmetric encryption (AES) combined with RSA for key protection and appends the .insane extension to affected files. The ransom note, typically named INSANE_README.txt, directs victims to contact the operators via email for decryption instructions. Based on limited reporting, Insane does not appear to operate as a Ransomware-as-a-Service (RaaS) platform; instead, it seems to be deployed by the core operators in targeted attacks. Initial access methods are not well-documented, but suspected vectors include phishing attachments and exploitation of exposed RDP services. The group’s small footprint in open-source intelligence suggests limited distribution or use in highly selective campaigns.

Jaff is a ransomware family first discovered in May 2017, notable for its distribution via large-scale spam campaigns operated by the Necurs botnet. These campaigns delivered malicious PDF attachments that contained embedded Word documents with macros, which, when enabled, downloaded the ransomware payload. Jaff encrypts victim files using RSA and AES encryption and appends extensions such as .jaff, .wlu, or .sVn depending on the variant. The ransom note, typically named ReadMe.html or ReadMe.bmp, directs victims to a payment site hosted on the Tor network. The ransomware demands payment in Bitcoin and displays a custom payment portal interface. Jaff was initially believed to be linked to the Locky ransomware operators due to similarities in distribution methods, ransom portal design, and its use of Necurs, though later analysis suggested it was operated by a separate group. Its activity was short-lived, with most campaigns ceasing within weeks of its discovery.

Jigsaw is a ransomware family first observed in April 2016, notorious for its psychological intimidation tactics. It encrypts files using AES encryption and appends various extensions (e.g., .fun, .kkk, .btc) depending on the variant. The ransomware’s ransom note features imagery of the “Billy” puppet from the Saw movie franchise and displays a countdown timer. Jigsaw is unique in that it deletes a portion of the victim’s files every hour until the ransom is paid, escalating the number of deletions over time to increase pressure. The note typically instructs victims to pay in Bitcoin via email communication. The malware is written in .NET, and numerous versions have circulated since its emergence, many of which are decryptable due to coding flaws. Jigsaw has mainly been spread via malicious email attachments and exploit kits. While it had a period of high activity in 2016–2017, most modern antivirus tools can easily detect and block it.

JSWorm is a ransomware family that first appeared in May 2019 and is notable for undergoing multiple rebrands and evolutions, later appearing under names such as Nemty, Nefilim, Offwhite, Fusion, and Milihpen. Initially, it was distributed via malicious spam emails containing JavaScript files, hence the “JS” in its name. Later versions moved to targeted intrusions, leveraging compromised RDP services and vulnerable network appliances for initial access. JSWorm encrypts files using AES-256 encryption with RSA-2048 for key protection and appends campaign-specific extensions (e.g., .JSWORM, .Nemty, .Nephilim). The group adopted a double-extortion model in its later stages, stealing data before encryption and threatening to leak it via Tor-hosted sites. Its victimology spans various sectors worldwide, including manufacturing, energy, healthcare, and professional services. The continuous rebranding suggests an effort to evade detection, disrupt attribution, and maintain pressure on victims.