We are happy to report that the Fedor Sinitsyn, a senior malware analyst at Kaspersky Labs, has discovered a weakness in the Jaff ransomware and was able to release a decryptor for all variants that have been released to date. For those who were infected with the Jaff Ransomware and had their files encrypted with the .jaff, .wlu, or .sVn extensions, this decryptor can recover your files for free.

While using the decryptor, if you have any questions or need support in decrypting your files, please feel free to post in our dedicated Jaff Ransomware Help & Support Topic

How to Decrypt Jaff (SVN, WLU, Jaff) Encrypted Files Using RakhniDecryptor

Victims of the Jaff ransomware can be identified by their files being encrypted and have either the .jaff, .wlu, or .sVn extension appended to the file name. For example, a file called test.jpg would be encrypted and renamed as test.jpg.jaff, test.jpg.wlu, or test.jpg.sVn. An example of a folder of files encrypted by the .sVn variant of Jaff can be seen below.

Jaff Encrypted Files
Jaff Encrypted Files

Before we can begin decrypting Jaff encrypted files, we first need to terminate the ransomware. To do this, open the Windows Task Manager by pressing the Ctrl+Alt+Delete keyboard combination on your keyboard to open the Windows security screen. Then select Task Manager. 

Once Task Manager is open, look for a process that appears to have a random name. For example, one campaign of the .sVn variant was using file names such as SKM_C224e9930.exe. Once you determine the Jaff process that is running, you should terminate it by clicking on the End Process button while the process is highlighted. If you cannot identify a running process, please feel free to post an image of your task manager or a list of running processes and we can let you know which process to terminate. It may also be possible that there will be no Jaff process running.

Task Manager

Now that Jaff is no longer running on the computer, we can begin to decrypt the encrypted files. First you need to download the RakhniDecryptor, extract the program, and then run it. Once running it will display the main screen as shown below.


Before starting, you need to make sure that you are using version, which supports the Jaff ransomware. To check the version of the RakhniDecryptor you can click on the About link at the bottom left of the above screen. This will display a small window that shows the version of RakhniDecryptor.

About Screen
About Screen

If you are using version or greater, then you should click on the Start scan button and RakhniDecryptor will prompt you to select an encrypted file. Browse to a folder that contains Jaff encrypted files and select a .Word, Excel, PDF, music, or image file. 

Select a Jaff Encrypted File
Select a Jaff Encrypted File

Once you have selected an encrypted file, RakhniDecryptor will prompt you to select a ransom note as well.

Select Ransom Note
Select Jaff Ransom Note

Once you have selected the ransom note, click on the Open button. RakhniDecryptor will now scan the entire computer for encrypted files and decrypt them.

Decrypting Jaff Encrypted Files
Scanning for Jaff Encrypted Files

This process can take quite a long time, so please be patient while it scans your computer and decrypts the files.  

When it has finished, you will be at a completed screen as shown below.

Decryption Completed
Decryption Completed

You can then click on the details link to see a full list of Jaff files decrypted by the decryptor.

Scan Results Page
Scan Results Page

It should be noted that even though your files are now decrypted, the original encrypted files will be left behind.

Decrypted Folder
Folder of Decrypted Files

Though your files are now decrypted, the original encrypted files will still be on your computer. Once you confirm that your files have been properly decrypted, you can use CryptoSearch to move all the encrypted files into one folder so you can delete or archive them.

Now that the files have been decrypted, you can close the RahkniDecryptor program.

Related Articles:

The Week in Ransomware - October 12th 2018 - NotPetya, GandCrab, and More

Windows 10 Ransomware Protection Bypassed Using DLL Injection

New Reports Show Increased CyberThreats, User Risks Remain High

The Week in Ransomware - October 5th 2018 - Restaurant Shutdowns & Exploit Kits

Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware