If your documents, photos, music and other personal files does not open normally and .jaff added at the end of their name then your computer is infected with Jaff decryptor system virus. It is a new virus from a family of file-encrypting ransomware.
jaff decryptor system – ransomnote
Table of contents
- What is Jaff decryptor system virus?
- Is my system infected with Jaff ransomware?
- How does my computer get infected with Jaff virus ?
- Jaff decryptor or how to decrypt jaff files?
- How to remove Jaff virus?
- How to restore jaff files ?
- How to prevent my computer from becoming infected by Jaff ransomware?
Once started, Jaff decryptor system virus have encrypted your personal files stored on a computer drives and attached network drives. It uses very strong hybrid encryption with a large key. When the ransomware encrypts a file, it will add the .jaff extension to each encrypted file. Once the virus finished enciphering of all files, it will create files named ReadMe.txt, ReadMe.html and ReadMe.bmp with an instructions on how to decrypt all encrypted files.
Jaff virus offers to make a payment in Bitcoins to get a key to decrypt files. Important to know, currently not possible to decrypt the .jaff files encrypted by the ransomware without the private key and decrypt program.
If you choose to pay the ransom, there is no 100% guarantee that you can get back your files! If you do not want to pay for a decryption key, then you have a chance to restore jaff files. Use the step-by-step guide below to remove the virus itself and try to restore your files.
What is Jaff decryptor system virus?
Jaff decryptor system virus is a variant of ransomware infection. It affects all current versions of Windows operating systems such as Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10. This virus uses a mix of AES and RSA encryption mode to block the possibility of brute force a key, which will allow to decrypt .jaff files.
When the virus infects a personal computer, it uses system directories to store own files. To run automatically whenever you turn on your computer, Jaff ransomware creates a registry entry in Windows: sections HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Run, HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Immediately after the launch, the virus searches all available disks, including network and cloud storage, to determine which files will be encrypted. The ransomware uses the file name extension, as a way to define a group of files that will be subjected to encrypting. Encrypted almost all types of files, including common as:
.xlsx, .acd, .pdf, .pfx, .crt, .der, .dwg, .MPEG, .rar, .veg, .zip, .txt, .jpg, .doc, .wbk, .mdb, .vcf, .docx, .ics, .vsc, .mdf, .dsr, .mdi, .msg, .xls, .ppt, .pps, .obd, .mpd, .dot, .xlt, .pot, .obt, .htm, .html, .mix, .pub, .vsd, .png, .ico, .rtf, .odt, .3dm, .3ds, .dxf, .obj, .7z, .cbr, .deb, .gz, .rpm, .sitx, .tar, .tar.gz, .zipx, .aif, .iff, .m3u, .m4a, .mid, .key, .vib, .stl, .psd, .ova, .xmod, .wda, .prn, .zpf, .swm, .xml, .xlsm, .par, .tib, .waw, .001, .002, 003., .004, .005, .006, .007, .008, .009, .010, .contact, .dbx, .jnt, .mapimail, .oab, .ods, .ppsm, .pptm, .prf, .pst, .wab, .1cd, .3g2, .7ZIP, .accdb, .aoi, .asf, .asp., aspx, .asx, .avi, .bak, .cer, .cfg, .class, .css, .csv, .db, .dds, .flv, .idx, .js, .kwm, .laccdb, .idf, .lit, .mbx, .md, .mlb, .mov, .mp3, .mp4, .mpg, .pages, .php, .pwm, .rm, .safe, .sav, .save, .sql, .srt, .swf, .thm, .vob, .wav, .wma, .wmv, .xlsb, .aac, .ai, .arw, .c, .cdr, .cls, .cpi, .cpp, .cs, .db3, .docm, .dotm, .dotx, .drw, .dxb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .pcd, .pct, .pl, .potm, .potx, .ppam, .ppsx, .ps, .pspimage, .r3d, .rw2, .sldm, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .xltm, .xltx, .xlw, .act, .adp, .al, .bkp, .blend, .cdf, .cgm, .cr2, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .fpx, .h, .iif, .indd, .jpeg, .mos, .nd, .nsd, .nsf, .nsg, .nsh, .odc, .odp, .oil, .pas, .pat, .pef, .ptx, .qbb, .qbm, .sas7bdat, .say, .st4, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .dit, .edb, .flvv, .gif, .groups, .hdd, .hpp, .log, .m2ts, .m4p, .mkv, .ndf, .nvram, .ogg, .ost, .pdb, .pif, .qed, .qcow, .qcow2, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .ab4, .accde, .accdt, .ach, .acr, .adb, .srw, .st5, .st8, .std, .sti, .stw, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wp, .x11, .x3f, .xis, .ycbcra, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb, rwl, .rwz, .s3db, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .srf, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pptx, .psafe3, .py, .qba, .qbr.myd, .ndd, .nef, .nk, .nop, .nrw, .ns2, .ns3, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .ord, .otg, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .moneywell, .mrw.des, .dgc, .djvu, .drf, .dxg, .eml, .erbsql, .erd, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibank, .ibd, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .dc2, .dcs, .ddoc, .ddrw, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .bank, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .as4
Once a file is encrypted, its extension changed to .jaff. Next, the virus creates files named “ReadMe.txt”, “ReadMe.html” and “ReadMe.bmp”. These files contain instructions on how to decrypt all encrypted files. Some examples of these instructions:
Files are encrypted!
To decrypt flies you need to obtain the private key. The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet
• You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en
• After instalation, run the Tor Browser and enter address: http://xxx/ Follow the instructions on the web-site.Your decrypt ID:
Jaff decryptor system virus actively uses scare tactics by giving the victim a brief description of the encryption algorithm and showing a threatening message on the desktop. It is trying to force the user of the infected computer, do not hesitate to pay a ransom, in an attempt to recover their files.
Is my system infected with Jaff ransomware?
Identify that your computer is infected with Jaff ransomware quite easily. If your personal files, such as documents, photos, music does not open normally, that is, for example, when you try to open a document, Word reports that it is an unknown file type, then it is likely that the document is encrypted, and your computer is infected. Of course, the presence on the desktop a ransom screen or threatening message is a sign of infection.
If you suspect that you have opened a email that infected with Jaff decryptor system virus, but you does not see any symptoms of the infection, then follow the steps in this guide below as soon as possible, see How to remove the Jaff virus. Another option, shut down the computer, remove the hard drive and check it on another computer.
How does my computer get infected with Jaff virus
Jaff decryptor system virus is distributed through the use of spam emails. Below is an email that is infected with the Jaff ransomware.
Once this attachment has been opened, this virus will be started automatically as you do not even notice that. Jaff ransomware will start the encryption process. When this process is done, it will display the usual ransom instructions like above on ReadMe.txt.
Jaff decryptor or how to decrypt jaff files?
Currently there is no way to decrypt encrypted files without access to the malware creators’s private key (but may be possible to restore jaff files using ShadowExplorer and PhotoRec). The ransomware repeatedly tells the victim that uses a strong encryption algorithm with a big key. What does it mean to decrypt excrypted files is impossible without the private key. Use a “brute forcing” method is also not a way because of the big length of the key. Therefore, unfortunately, the only payment to the authors of the Jaff decryptor system virus entire amount requested – the only way to try to get the decryption key.
There is absolutely no guarantee that after pay a ransom to the authors of the Jaff ransomware, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new virus.
How to remove Jaff virus
The following instructions will help you to remove Jaff decryptor system. Before doing it, you need to know that starting to remove the virus, you may block the ability to decrypt files by paying authors of the virus requested ransom.
Kaspersky Virus Removal Tool and Malwarebytes Anti-malware can detect different types of active ransomware and easily remove it from your computer, but they can not recover encrypted files.
Remove Jaff virus with MalwareBytes
You can remove Jaff virus automatically with a help of Malwarebytes Free. We recommend this free malicious software removal tool because it can easily remove browser hijackers, ransomware, adware, PUPs and toolbars with all their components such as files, folders and registry entries.
Download Malwarebytes by clicking on the link below.
327126 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After downloading is done, close all programs and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s named mb3-setup like below.
When the installation starts, you will see the “Setup wizard” which will help you install Malwarebytes on your PC system.
Once install is finished, you will see window as shown on the screen below.
Now click the “Scan Now” button for checking your PC for the Jaff ransomware virus. This procedure can take some time, so please be patient. When a malicious software, ad-supported software or PUPs are found, the number of the security threats will change accordingly. Wait until the the scanning is complete.
Once the system scan is complete, it’ll open a scan report. When you’re ready, press “Quarantine Selected” button.
The Malwarebytes will begin removing ransomware related files, folders, registry keys. Once disinfection is finished, you may be prompted to restart your PC system.
The following video explains guidance on how to get rid of browser hijacker with Malwarebytes Anti-malware.
Remove Jaff virus with Kaspersky virus removal tool
Download Kaspersky virus removal tool from the link below and save it directly to your Windows Desktop.
129249 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Double-click on the KVRT icon found on your desktop. Once initialization process is finished, you will see the Kaspersky virus removal tool screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button. Kaspersky virus removal tool will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
When KVRT has finished scanning, you will see a screen like shown below.
Click on Continue to start a cleaning process.
How to restore jaff files
In some cases, you can recover files encrypted by Jaff decryptor system virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and other files.
Restore jaff files with ShadowExplorer
Download ShadowExplorer from the following link.
439524 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
Open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown below.
Double click ShadowExplorerPortable to run it. You will see the following screen.
In top left corner, select a Drive and a latest restore point as shown on the example below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export. An example below.
Recover jaff files with PhotoRec
Download PhotoRec from the link below.
Open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen like below.
Select a drive to recover from as shown below.
You will see a list of available partitions. Select a partition that holds the lost and encrypted files. An example below.
Click on File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is done, click OK button.
Next, click Browse button to select where recovered files should be written, then click Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is completed, click on Quit button. Next, open the directory where recovery files are stored. You will see a contents like below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to prevent my computer from becoming infected by Jaff ransomware?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Download CryptoPrevent from the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is completed, you will be shown a window where you can select a level of protection, as shown in the following example.
Click the Apply button to activate the protection.
Finish words
After completing the steps shown above, your machine should be clean from Jaff virus. If you need help with the instructions, then ask for help here.
Thanks, Patrik. So great.