Jaff Ransomware

The Jaff Ransomware is a file encoder Trojan that was reported by infected users in the second week of May 2017. Cyber scrutiny researchers alert that the main distribution method employed by the Jaff Ransomware's authors is spam emails that carry a corrupted DOCX file. A Microsoft Word document is sent out to users, which include an invitation to the user that suggests enabling the editing and macro functionalities in the word processor to load the file properly. Needless to say, if you go after the instructions, the installation of the Jaff Ransomware will be completed in seconds. We have received reports that the corrupted document may feature the following names:

• Copy_[RANDOM NUMBERS]
• Document_[RANDOM NUMBERS]
• File_[RANDOM NUMBERS]
• PDF_[RANDOM NUMBERS]
• Scan_[RANDOM NUMBERS]

The carrier email message may suggest that the attached document offers more information on an ongoing project, billing details, and photos sent from your friends on Facebook and Instagram. Web surfers should not open spam emails that invite them to open a suspicious document, and they should double-check with their friends if they have sent them a package with images. The Jaff Ransomware is classified as a mid-tier crypto-threat, which is programmed to encode 421 types of data containers. Analysis of the distribution network and cases that involve the Jaff Ransomware show that it is aimed at regular users based in North America and Western Europe primarily. Samples of the Trojan have been found to use the following executable on infected devices:

• Rcfcngzxx.exe
• jaffdecryptor.exe
• pitupi20.exe
• 924c84415.exe

The Jaff Ransomware is programmed to run in the system background and can run on the latest versions of Windows, as well as the old Windows XP. Objects that are encoded by the Trojan feature a change in their filenames and include the '.jaff' extension. For example, 'Monomorium pharaonis - Pharoh Ant.pptx' is renamed to 'Monomorium pharaonis - Pharoh Ant.pptx.jaff' and the file lacks a thumbnail. Windows Explorer might show the encoded data as generic white icons and refuse to open the file due to corruption. The threat creates the following directories where the ransom notifications are hosted:

• C:\ProgramData\Rondo\
• C:\ProgramData\Rondo\WallpapeR.bmp\
• C:\ProgramData\Rondo\backup.om\

Infected users may notice that the following files are loaded on the screen after the encryption procedure is completed:

• ReadMe.bm
• ReadMe.html
• ReadMe.txt
• WallpapeR.bmp

We have seen the Jaff Ransomware launch the default Internet client to load 'ReadMe.html' and show the following message:

'jaff decryptor system
Files are encrypted!
To decrypt flies you need to obtain the private key.
The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet
You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en
After instalation, run the Tor Browser and enter address: [REDACTED]
Follow the instruction on the web-site.
Your decrypt ID: [10 RANDOM DIGITS]'

The threat suggests users download the TOR Browser and open the payment portal on the TOR anonymization network. We have seen the operators of the 'Crypt32@mail.ru' Ransomware and the Sage 2.0 Ransomware use TOR-based payment portals for anti-trackback purposes. Cyber security analysts that worked on samples of the Jaff Ransomware report that it is impossible to decode the affected data since the threat uses the secure AES-256 cryptographic algorithm and the decryption key is not saved on the compromised system. At the time of writing, the ransom fee is set to 2 Bitcoins, which is priced at 3630 USD/3337 EUR on markets like Blockchain.info. We do not recommend users deliver payment since the 'jaff decryptor system' might be a hoax. You might be able to recover from the attack with Jaff Ransomware by running a complete system scan using a trusted anti-malware tool and loading backup images.

Table of Contents

1

SpyHunter Detects & Remove Jaff Ransomware