Files Locked by Jaff Ransomware Can Now be Decrypted by RakhniDecryptor Tool

Kaspersky Lab has released an updated version of its RakhniDecryptor tool which can decrypt files locked by the Jaff Ransomware.

The security experts have found a vulnerability in Jaff Ransomware, giving them an opportunity to create decryption keys for unlocking files which the malware has encrypted.

As soon as Jaff Ransomware infects victims, the attackers start demanding a ransom of between 0.5 to 2 Bitcoin (approximately $1,500 – $5,000, based on the current exchange rates).

The newly-found vulnerability can be exploited by a free tool which has been included in the Kaspersky Lab’s list of free ransomware decryptors. These tools allow recovering files that have been locked by viruses like CoinVault and Rannoh ransomware.

“We have found a vulnerability in Jaff’s code for all the variants to date. Thanks to this, it is now possible to recover users’ files (encrypted with the .jaff, .wlu, or .sVn extensions) for free,” said Kaspersky Lab in a statement announcing the availability of the decryption keys.

The free tool for decrypting locked files has been added to the RakhniDecryptor (version

Jaff Ransomware was first noticed in May, this year, while being distributed by Necrus botnet which was used to spread Dridex and Locky malware before.

A while ago, while investigating a brand new strain of Jaff Ransomware, Heimdal Security experts found out that the malware was sharing the backend infrastructure with a black market, offering stolen account information and card data for sale.

Despite being recently found, Jaff Ransomware was involved in multiple large-scale email campaigns. Each of these was using a PDF attachment with an embedded Microsoft Word document, embedding macros which download and execute the malicious code.

The Kaspersky Lab team says that currently, the top countries influenced by Jaff Ransomware are China, India, Russia, Egypt, and Germany.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.