Decryption Utility Unlocks Files Encrypted by Jaff Ransomware
June 22, 2017
Raina Zakir (56 articles)

Decryption Utility Unlocks Files Encrypted by Jaff Ransomware

A senior malware analyst at Kaspersky Labs, has discovered a weakness in the Jaff ransomware and was able to release a decryptor for all variants that have been released to date. For those who were infected with the Jaff Ransomware and had their files encrypted with the .jaff, .wlu, or .sVn extensions, this decryptor can recover your files for free.

Jaff was only first identified last month. At the time it was being distributed by Necurs botnet – the same botnet behind the Locky and Dridex campaigns. Attacks have included massive spam campaigns that include PDF attachments with an embedded Microsoft Word document functioning as the initial downloader for the ransomware. According to researchers, if recipients downloaded and enabled a Word macro associated with the .PDF the ransomware was downloaded. Actors behind the malware then demanded a ransom of between 0.5 to 2 Bitcoin (approximately $1,500 – $5,000, based on current exchange rates).

How to Decrypt Jaff (SVN, WLU, Jaff) Encrypted Files Using RakhniDecryptor:
Victims of the Jaff ransomware can be identified by their files being encrypted and have either the .jaff, .wlu, or .sVn extension appended to the file name. For example, a file called test.jpg would be encrypted and renamed as test.jpg.jaff, test.jpg.wlu, or test.jpg.sVn

Before decrypting Jaff encrypted files, terminate the ransomware first. To do this, open the Windows Task Manager by pressing the Ctrl+Alt+Delete keyboard combination on your keyboard to open the Windows security screen. Then select Task Manager.

Once Task Manager is open, look for a process that appears to have a random name. For example, one campaign of the .sVn variant was using file names such as SKM_C224e9930.exe. Once you determine the Jaff process that is running, you should terminate it by clicking on the End Process button while the process is highlighted. It may also be possible that there will be no Jaff process running.

Now that Jaff is no longer running on the computer,  you need to download the RakhniDecryptor, extract the program, and then run it. Click on the Start scan button and RakhniDecryptor will prompt you to select an encrypted file. Browse to a folder that contains Jaff encrypted files and select a .Word, Excel, PDF, music, or image file.

Once you have selected the ransom note, click on the Open button. RakhniDecryptor will now scan the entire computer for encrypted files and decrypt them.It should be noted that even though your files are now decrypted, the original encrypted files will be left behind.

Source | BleepingComputer