Jaff ransomware has been defeated - a decryption tool has been developed

The malicious program Jaff, which encrypts the victims' data and demands payment of a ransom for restoring access, appeared just a few days before the outbreak of the infamous WannaCry. While conducting the analysis, Kaspersky Lab experts found a weak point in the Jaffa code, which allowed for the preparation of a free decryption tool for victims of this threat.

Jaff is distributed by the cybercrime Necurs botnet - the same one that was behind the campaigns of other threats: Locky and Dridex. Jaffa victims receive spam e-mails with infected PDF files.


After launching the attachment, the malware encrypts user data and adds .jaff, .wlu, or .sVn extensions to it. Source: bleepingcomputer.com

By analyzing the Jaff malware code, researchers from Kaspersky Lab found an error that occurs in all currently known versions of this threat. This discovery enabled the upgrade of the free RakhniDecryptor tool with the procedures for decrypting data blocked by Jaff.

To decrypt data blocked by the malicious program Jaff:

  • Cure an infected computer using an effective antivirus program.
  • Download the latest version of the RakhniDecryptor tool (version 1.21.2.1).


Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.