Threat Database Ransomware Jaff Ransomware

Jaff Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 24
First Seen: May 12, 2017
Last Seen: May 30, 2023
OS(es) Affected: Windows

The Jaff Ransomware is a file encoder Trojan that was reported by infected users in the second week of May 2017. Cyber scrutiny researchers alert that the main distribution method employed by the Jaff Ransomware's authors is spam emails that carry a corrupted DOCX file. A Microsoft Word document is sent out to users, which include an invitation to the user that suggests enabling the editing and macro functionalities in the word processor to load the file properly. Needless to say, if you go after the instructions, the installation of the Jaff Ransomware will be completed in seconds. We have received reports that the corrupted document may feature the following names:

  • Document_[RANDOM NUMBERS]

The carrier email message may suggest that the attached document offers more information on an ongoing project, billing details, and photos sent from your friends on Facebook and Instagram. Web surfers should not open spam emails that invite them to open a suspicious document, and they should double-check with their friends if they have sent them a package with images. The Jaff Ransomware is classified as a mid-tier crypto-threat, which is programmed to encode 421 types of data containers. Analysis of the distribution network and cases that involve the Jaff Ransomware show that it is aimed at regular users based in North America and Western Europe primarily. Samples of the Trojan have been found to use the following executable on infected devices:

  • Rcfcngzxx.exe
  • jaffdecryptor.exe
  • pitupi20.exe
  • 924c84415.exe

The Jaff Ransomware is programmed to run in the system background and can run on the latest versions of Windows, as well as the old Windows XP. Objects that are encoded by the Trojan feature a change in their filenames and include the '.jaff' extension. For example, 'Monomorium pharaonis - Pharoh Ant.pptx' is renamed to 'Monomorium pharaonis - Pharoh Ant.pptx.jaff' and the file lacks a thumbnail. Windows Explorer might show the encoded data as generic white icons and refuse to open the file due to corruption. The threat creates the following directories where the ransom notifications are hosted:

  • C:\ProgramData\Rondo\
  • C:\ProgramData\Rondo\WallpapeR.bmp\
  • C:\ProgramData\Rondo\\

Infected users may notice that the following files are loaded on the screen after the encryption procedure is completed:

  • ReadMe.html
  • ReadMe.txt
  • WallpapeR.bmp

We have seen the Jaff Ransomware launch the default Internet client to load 'ReadMe.html' and show the following message:

'jaff decryptor system
Files are encrypted!
To decrypt flies you need to obtain the private key.
The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet
You must install Tor Browser:
After instalation, run the Tor Browser and enter address: [REDACTED]
Follow the instruction on the web-site.
Your decrypt ID: [10 RANDOM DIGITS]'

The threat suggests users download the TOR Browser and open the payment portal on the TOR anonymization network. We have seen the operators of the '' Ransomware and the Sage 2.0 Ransomware use TOR-based payment portals for anti-trackback purposes. Cyber security analysts that worked on samples of the Jaff Ransomware report that it is impossible to decode the affected data since the threat uses the secure AES-256 cryptographic algorithm and the decryption key is not saved on the compromised system. At the time of writing, the ransom fee is set to 2 Bitcoins, which is priced at 3630 USD/3337 EUR on markets like We do not recommend users deliver payment since the 'jaff decryptor system' might be a hoax. You might be able to recover from the attack with Jaff Ransomware by running a complete system scan using a trusted anti-malware tool and loading backup images.

SpyHunter Detects & Remove Jaff Ransomware

File System Details

Jaff Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe 942c6a039724ed5326c3c247bfce3461 0
2. file.exe 63ff8e84e4aea1217eb0490757a49ae7 0
3. file.exe bf0455ac54931da70445d71ad9ebfe2d 0
4. file.exe 56185d85038547ec352a0f39396a37a7 0
5. file.exe 0a03c3bdae435d282508a3870bb825e7 0

Registry Details

Jaff Ransomware may create the following registry entry or registry entries:
File name without path


Jaff Ransomware may create the following directory or directories:


Related Posts


Most Viewed