Security Researchers Defeat Jaff Ransomware via Poor File Encryption Faux Pas

The Jaff ransomware appeared on May 11, and it briefly managed to fool some of the security experts into thinking that it's a new version of Locky. That's partly because it was distributed by the Necurs spam botnet at a rate of about 5 million emails per hour. Necurs played a key role in Locky's incredible success, and only 2016's most prolific ransomware had been seen spreading through spam waves of this scale. Jaff also used a downloader which came in the form of a macro-laced Word document embedded into a PDF file, a technique that was very similar to what Locky had demonstrated weeks earlier. The Tor-hosted payment page was a verbatim copy of Locky's portal as well. That said, there were a couple of differences which proved that Jaff is not Locky.

The most obvious one was the truly outrageous ransom amount the crooks demanded. While most ransomware authors try to extort a few hundred dollars for the decryption of the files, Jaff's developers wanted more than $3,000 worth of bitcoins. The less visible differences between the two families came to light when the security researchers went through the code and concluded that Jaff is nowhere near as professionally written as Locky. Emsisoft's experts even noted that thanks to a few mistakes, recovering a portion of the data might be possible.

Unfortunately, they didn't have the time to examine the new ransomware closely because on May 12, about 24 hours after the first Jaff-carrying emails started flying around, they were called in to stop the unprecedented WannaCry outbreak. Although the heroic efforts of MalwareTech and the rest of the people involved in the mitigation of the biggest ransomware attack ever seen brought the whole thing to a close rather quickly, the aftermath of the WannaCry incident kept security professionals busy for quite a while. Which was bad news because while WannaCry ground to a halt, Jaff plowed on.

In fact, over the following weeks, Jaff started adding new extensions (.wlu and .sVn) to encrypted files and tried different infection vectors (e.g. zipped executables). The crooks also realized their initial mistake and lowered the ransom demand to less ridiculous levels which means that right now, if your valuable information gets encrypted by the Jaff ransomware, you might be more willing to cough up the bitcoins. Don't make that mistake.

After spending a few weeks cleaning up the WannaCry mess, security specialists finally found the time to examine the Jaff ransomware closely, and we're happy to report that they have found a mistake in the encryption process. Researchers from MalwareHunterTeam first said that Jaff might be decryptable yesterday, and a few hours later, Kaspersky updated their free RakhniDecryptor so that it can now recover Jaff-encrypted files. The tool is available both through Kaspersky's own website and via the No More Ransom project. It works on every version the researchers have seen so far which means that if you are one of Jaff's victims, and if you keep a copy of your encrypted files (something the security professionals say you should always do), you can get your information back with a few simple clicks.

Having the opportunity to get your files back is bound to put some smiles on victims' faces. Here are a few sobering thoughts, though.

Not surprisingly, the researchers won't publicly announce what sort of mistake allowed them to create the free decryptor. That would make the crooks' lives quite easy. Sooner or later, however, the malware authors will find the error and patch it which will render the free tool useless. That's why, although there is a fix that works at the moment, computer users should be as careful as ever with the email attachments that arrive in their inboxes.