Jaff Ransomware Removal And .jaff File Recovery Guide

Jaff is a ransomware which spreads through email spam. Necurs botnet has been used for a massive distribution campaign and as a result many victims were infected.

The virus acts as any other ransomware: it first infiltrates the computer and then starts encrypting your personal files. It is known to target 421 different file types and they become impossible to open as soon as the encryption process finishes.

Jaff creators demand a very high ransom of 2 BitCoins (more than $3500) in order to receive decryption key key and get back your files. However, there is no guarantee that the criminals will provide you with the key even if you make the payment. Therefore, you should ignore the ransom demands and remove the virus yourself.

We have an automatic removal tool which will detect Jaff and any other threats present on your system and remove them. It will also protect your computer in the future.

Unfortunately, it is currently impossible to decrypt .jaff files. However, we have several alternative file recovery methods listed below. Please remember that you need to completely remove the threat first before retrieving files!


Recommended Method: Download Jaff Virus Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Jaff ransomware virus?

Just like many other similar ransomware, Jaff virus makes your personal files unopenable and asks for a payment in order to recover them. As soon as it enters the system it starts encrypting files with strong AES algorithm. Encrypted files become impossible to open using traditional programs and they start bearing an additional .jaff extension (e.g. “sample.jpg” becomes “sample.jpg.jaff“).

The virus also places several ransom notes named ReadMe.txtReadMe.html and ReadMe.bmp. It also changes the desktop wallpaper to an image called WallpapeR.bmp. Jaff assigns 10 digit “decrypt ID” which is required to identify a victim. It then asks to visit a TOR (.onion) website for further instructions.

Here are typical contents of a ransom note:

jaff decryptor system
Files are encrypted!
To decrypt flies you need to obtain the private key.
The only copy of the private key, which will allow you to decrypt your files, is located on a secret server in the Internet
You must install Tor Browser: https://www.torproject.org/download/download-easy.html.en
After instalation, run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ 
Follow the instruction on the web-site.
Your decrypt ID:

Jaff currently demands for approximately 2 BitCoins payment which is worth more than $3500. This high amount suggests that the virus is targeted primarily at institutions as not many individuals could afford to pay the ransom for their personal files.

The payment website has a light brown color scheme and reminds of another very popular ransomware called Locky. However, it is not just another version of Locky and is a completely different virus. The creators simply copied the design to either confuse the victims or simply save time.

Jaff is being distributed with a help of Necurs botnet. It arrives as an email attachment and usually asks to “Enable Content” in order to activate. If you click such button, the virus accesses the system and starts the encryption process. Typical email subjects usually include one of the following words:

Copy_
Document_
Scan_
File_
PDF_

We strongly discourage you from following any of the virus creators’ instructions as this does not guarantee that you will be able to recover your files. This could also lead to further infections as the criminals will still have access to your machine.

Instead of paying the ransomware, you should first completely remove the virus by yourself and then proceed to alternative file recovery methods. We have an automatic removal tool listed below which will eliminate the threat and protect your computer in the future.

At the moment there is no official way of recovering .jaff files. However, we have listed several alternative methods at the bottom of this article.

Screenshots of Jaff ransomware:

    


 Manual Removal Instructions:

NB: Even if you follow this guide completely there might be some virus files remaining deep in the system. Therefore, we recommend using the automatic removal tool listed above. This way you will be sure that Jaff is removed completely as well as that your computer will be protected from any further threats.

Make sure you bookmark this page as a computer restart will be required. The best way to work is to open this website on a separate device while removing the threat.

Step 1:

You will need to restart the computer in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Press keyboard buttons CTRL + F and enter:

jaff

Click Find Next.

If you find any registry entries that could be associated with Jaff ransomware, delete them by right-clicking on it and choosing Delete.

Repeat the search with the following search queries:

ransomware
fkksjobnn43
rktazuzi7hbln7sy
pitupi20

Repeat this search until no results are found anymore.

Step 3:

Clean up Windows temporary files.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them.

Step 4:

Hold Windows () key and click R key.

Enter the following in the field:

%ProgramData%

Click OK.

A folder will open. Go to the following directory:

Rondo

Delete the folder permanently by pressing SHIFT + DELETE.

Step 5:

Block virus IPs in your hosts file.

Press and hold Windows () key and click R key.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Then, at the bottom of the file, paste the following text and save it:

127.0.0.1 47.91.107.213

Step 6:

Find and delete the following file by utilizing Windows Search (Windows () key to open):

ReadMe.txt
ReadMe.html
ReadMe.bmp
WallpapeR.bmp
Rcfcngzxx.exe
pitupi20.exe
jaffdecryptor.exe
nm.pdf

Make sure it has been modified recently (at the time of the infection) and is related to the virus.

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate media in case you are not able to recover the files using our methods.

Check for Jaff decryptor here: List of currently available decryptors. Currently we have no information that such decryptor is available but it might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter.

Step 2:

Restore the old system settings using System Restore. The virus might have changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Try restoring earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus usually deletes shadow copies so this step this might be unsuccessful. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Jaff decryptor to be created. New free decryptors for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Jaff ransomware virus you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *