I wrote this article to help you remove Jaff Ransomware. This Jaff Ransomware removal guide works for all Windows versions.
Jaff ransomware, also known as Jaff Decryption System, is a malicious win-locker. The nefarious program encrypts 423 different file types. The list encompasses text documents, archives, images, videos, audios, spreadsheets, presentations, scripts, databases and others. Jaff ransomware uses AES and RSA algorithms as the basis for the encryption. In addition, the hackers exploit CryptoAPI, an encryption system which is implemented into the Windows OS. The virus marks the locked objects with the .jaff file extension. Win-lockers use encryption algorithms to render the code schemes of vulnerable files. They can be set to encrypt a different number of formats. Jaff ransomware has an extensive target range.
Researchers have been able to identify the propagation vector of the infection. Jaff ransomware is distributed by the Necurs botnet. The malicious client transfers the virus through spam emails. The containing messages have an appended attachment titled nm.pdf. Inside the attachment, there is a .docm file with a name consisting of 10 random letters. When you open the text file, a message will inform you that it is protected. You will receive instructions on how to make the content accessible. First, you will have to click on “Enable editing” and then on “Enable content”. If you do so, Necurs will establish a connection with a command and control (C&C) server. The botnet will proceed to download and install Jaff ransomware to your system. To avoid contacting malware through spam, proof the reliability of the emails you receive.
Jaff ransomware performs the encryption through background processes. Before you know it, your personal files will have been locked. Upon completing the encryption, the win-locker drops a set of files. Jaff ransomware produces ransom notes in .txt, .html and .bmp format. The files share the title ReadMe. You will find a copy of them in every folder which contains encrypted data. To convey the message clearly, the sinister program sets the graphic version of the note as the desktop background. This way, the win-locker makes sure that the victims will find the instructions. All three notes list the same information.
Jaff ransomware assigns a 10-digit ID to every infected computer, referred to as a decrypt ID. The hackers require people to download and install the Tor web browser. The note contains a link to a payment website where you will find complete instructions on how to pay the ransom. It should be noted that the authors of Jaff ransomware have copied the payment platform of Locky ransomware. There is currently no word on whether or not the same people are responsible for the two programs. The renegade developers have already produced several builds of the win-locker. The amount of the ransom has gone up with the later variants. The hackers had initially set the ransom at 1.82196031 Bitcoins (BTC). The sum has since been increased to over 2 BTC and it currently amounts to about $3,700 USD.
The cyber criminals have selected the Tor web browser and the Bitcoin cryptocurrency for a reason. This browsing client was created to enable people to browse the web anonymously. It prevents third party websites from tracking users’ geographic location. Similarly, Bitcoins were devised as a secure means of payment. The platforms which trade them do not require users to disclose personal details. The owners of Jaff ransomware use these options to protect their identity and hide their coordinates.
The attackers will tell you that the only way to have your files decrypted is with a unique key which only they can provide. Be advised that cyber criminals cannot be trusted on their word. There is no guarantee that paying the ransom would resolve the issue. They may not provide the decryption key. Even if they do, they can launch another attack in time. The only solution to the problem is to delete Jaff ransomware from your computer. Upon removing the win-locker, you can attempt to restore the lost files from their shadow volume copies. For further instructions, please refer to the guide below.
Jaff Ransomware Removal
Method 1: Restore your encrypted files using ShadowExplorer
Usually, Jaff Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.
- Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
- Install ShadowExplorer
- Open ShadowExplorer and select C: drive on the left panel
- Choose at least a month ago date from the date field
- Navigate to the folder with encrypted files
- Right-click on the encrypted file
- Select “Export” and choose a destination for the original file
Method 2: Restore your encrypted files by using System Restore
- Go to Start –> All programs –> Accessories –> System tools –> System restore
- Click “Next“
- Choose a restore point, at least a month ago
- Click “Next“
- Choose Disk C: (should be selected by default)
- Click “Next“. Wait for a few minutes and the restore should be done.
Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Jaff Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs: