Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jaff Ransomware Help & Support Topic (Jaff Decryptor, ReadMe.html, .Jaff, .sVn)


  • Please log in to reply
16 replies to this topic

#1 cacofony

cacofony

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 11 May 2017 - 03:43 AM

Can read more about this ransomware here. Please post here as there may be a way for us to recover your files.

 

 

 

ID Ransomware  Please reference this case SHA1: fbbbc7d3b74626e66e51ff7698ddbaa3af18c60c

 

Unsure of distribution method at this point; attack location Australia.

 

 

jaff decryptor system

 
 
Files are encrypted!
To decrypt flies you need to obtain the private key.
The only copy of the private key, which will allow you to decrypt your files, is located on a secret server
in the Internet
 
 
After instalation,run the Tor Browser and enter address: http://rktazuzi7hbln7sy.onion/ 
Follow the instruction on the web-site.

Edited by xXToffeeXx, 11 May 2017 - 11:11 AM.


BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,179 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:04 PM

Posted 11 May 2017 - 09:00 AM

This appears to be a new ransomware being mass-spread via the Necurs spam botnet. It's all over Twitter right now. ID Ransomware has been updated to point victims here.

 

As a note, it has already been confirmed to not be related to Locky or Bart, even though the note looks really similiar.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 sparkie001

sparkie001

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:04 AM

Posted 12 May 2017 - 02:54 PM

Does the encryption extend to networked NAS drives that are not mapped as a drive letter?



#4 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:01:04 PM

Posted 12 May 2017 - 03:25 PM

From the News section:

 

Unfortunately, after analysis by Emsisoft's Fabian Wosar it was determined that the Jaff Ransomware is not decryptable. With that said, there may be methods that can be used to recover some of the files, so please contact Emsisoft or the helpers at BleepingComputer before paying a ransom.  If you want to discuss this ransomware or receive support, you can ask in our dedicated Jaff Ransomware Support & Help Topic.


We are drowning in information - and starving for wisdom.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:04 PM

Posted 12 May 2017 - 03:51 PM

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups.

Other possible options include using native Windows Previous Versions and Shadow Explorer. Most crypto malware will typically delete (though not always) all shadow copy snapshots (created if System Restore was enabled) with vssadmin.exe so that you cannot restore your files from before they had been encrypted using Windows Previous Versions or Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to properly delete Shadow Volume Copies.In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work...again it never hurts to try.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 uffa

uffa

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 02 June 2017 - 02:19 AM

Hi,

drweb has just updated a ticket I opened on 12th may, saying they can decode jaff ransomware crypted files, posting as evidence a decoded file



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:04 PM

Posted 02 June 2017 - 05:36 AM

That's good news. Please confirm if the are able to decrypt all files.

I know that Dr.Web has been the only vendor able to assist victims of Crypt0L0cker with decrypting files.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 alexlouis

alexlouis

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 09 June 2017 - 08:42 AM

I'm also infected with this.

 

@uffa any news? Thanks.



#9 uffa

uffa

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:04 PM

Posted 10 June 2017 - 04:19 AM

I'm also infected with this.

 

@uffa any news? Thanks.

Hi, still waiting for customers decision on how to proceed (paying drweb license or risk miss something from backup). Have you open a decode request with dr. web for your case?


Edited by uffa, 10 June 2017 - 04:19 AM.


#10 alexlouis

alexlouis

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 10 June 2017 - 05:26 AM

Yes. Waiting for their response now.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:04 PM

Posted 10 June 2017 - 06:51 AM

Please be patient. Dr.Web's lab is inundated with support requests and assistance may take some time.

Since mid-April 2013, Doctor Web's virus laboratory has received more than 40,000 decryption requests to restore files affected by Trojan encoders, and now receives over 4 000 requests a month...In November, 2015 the number of requests submitted to Doctor Webs technical support service for decryption from the Trojan.Encoder malware family reached 60% of the total number of requests made. And the vast majority of requests are from users of other anti-viruses.

Dr.Web: Encryption ransomware - Threat No. 1
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 lozo

lozo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:04 PM

Posted 12 June 2017 - 01:14 AM

.Jaff and .wlu are decodeable by dr.web. They send me decoded files as proff, know I'm waiting for customer to decide.



#13 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:01:04 PM

Posted 14 June 2017 - 02:18 PM

Kaspersky now has a free Jaff decrypter : https://www.bleepingcomputer.com/news/security/decrypted-kaspersky-releases-decryptor-for-the-jaff-ransomware/


We are drowning in information - and starving for wisdom.


#14 alexlouis

alexlouis

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 15 June 2017 - 10:53 AM

Beware of this decryptor. I tried it on .sVn encrypted files and most of the restored content is now corrupt. Do not let it delete the original encrypted files. Best try it on a clone of your drive. If you only need to recover a handful of critical files, you may be in luck.



#15 cybercynic

cybercynic

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Edge Of Tomorrow
  • Local time:01:04 PM

Posted 15 June 2017 - 11:22 AM

If you are having problems with this decryptor, you need to contact Kaspersky for help.


We are drowning in information - and starving for wisdom.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users