It’s well-known in cybersecurity circles that those behind various forms of malware often sell the data they steal on the dark web, the sometimes shady sites reachable only through specialized software. Now, in an interesting twist, a dark web forum may be behind a recently launched new form of malware, according to newly published research.

The claim comes from Andra Zaharia, a security evangelist at Heimdal Security, who writes that researchers at the company have discovered that Jaff shares server space with a cybercrime dark web store that provides access to tens of thousands of compromised bank accounts.

“Banks from all over the world are listed,” Zaharia said. “Other types of user accounts that include financial data are available as well. Unsuspecting Internet users who have shopped online at Apple, Bed, Bath & Beyond, Barnes & Noble, Best Buy, Booking.com, Asos.com and many other e-commerce portals can become victims of cyber fraud or other types of malicious activity.”

The Jaff ransomware first appeared in early May around the same time WannaCry first appeared, if not with the same mainstream media attention. Jaff is far closer in type to a previous form of ransomware called Locky that ran riot in 2016 and even uses the same payment site template, though there are some differences, including the use of infected PDF files with an embedded “DOCM” file that contains a malicious macro script. Once through the door of a victim’s computer, Jaff encrypts files and demands a ransom of 2 bitcoin, which equals about $5,130.

According to Zaharia, the Russians are actually to blame. The server behind Jaff and the related dark web marketplace was traced to St. Petersburg.

“By combining these informational assets, cybercriminals are engaging in both the long game, required to monetize stolen card data, and in quick wins, such as targeted ransomware attacks, whose simpler business model yields a fast return on investment,” Zaharia added.

Image: sheila_sund/Flickr