A new variant of the Jaff ransomware was discovered by security researchers Brad Duncan & Marcelo Rivero that includes an updated design for the ransom note and the new WLU extension for encrypted files. Like the first variant of Jaff, this new version continues to be distributed through MALSPAM campaigns that utilize malicious documents and macros to download and install the ransomware.

For those who are infected, or just wish to discuss the Jaff ransomware, you can do so in our dedicated Jaff Ransomware Help & Support Topic.

WLU Jaff Ransom Variant Comes with an Updated Ransom Note

With this new WLU version, Jaff started using a new design for its ransom note and name for its decryption service. In the previous version, the ransom note was titled "jaff decryptor system" and contained a blank amateurish ransom note whose CSS & HTML was a mess. 

This new version is now titled "JAFF DECRYPTOR" and definitely looks like they dedicated some time to it. Unfortunately, as the Jaff developers are now releasing new versions and updating their design to appear more "professional", it may indicate that their previous campaigns have been successful. With that said, we can expect to see more updates in the future.

Updated Jaff Ransom Note
Updated Jaff Ransom Note

The Jaff WLU variant is being Distributed via Emails Pretending to be Invoices

The new Jaff campaign is being distributed through emails that pretend to be invoices for the recipient. These emails will have subjects such as Copy of Invoice 99483713 or Invoice(58-0710), where the number is random and they contain a malicious PDF attachment. You can see an example of one of these emails below.

Jaff WLU Variant SPAM Email
Jaff WLU Variant SPAM Email

When a victim opens up the PDF attachment, depending on the PDF reader installed, a prompt to open an embedded Word document will be displayed.

Malicious PDF
Malicious PDF

If the victim opens the Word doc, they will be presented with the standard Enable Security and Enable Content prompts in order to enable the macros embedded in the document.

Enable Content Prompt
Enable Content Prompt

Once the user clicks on Enable Content, the macros will be executed and will download a copy of the ransomware and execute it. You can see an example of the macros below.

Embedded Macros
Embedded Macros

Once the ransomware is executed, it will scan your computer for targeted file types and encrypt them using AES encryption. The current list of targeted file extensions is:

.001, .002, .004, .005, .006, .007, .008, .009, .010, .1cd, .3dm, .3ds, .3fr, .3g2, .3pr, .7ZIP, .MPEG, .aac, .ab4, .accdb, .accde, .accdt, .acd, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .aif, .aiff, .ait, .aoi, .apj, .arw, .as4, .asf, .asm, .asp, .aspx, .asx, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .cad, .cbr, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .csh, .csl, .css, .csv, .dac, .dat, .db3, .db_journal, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .deb, .der, .des, .design, .dgc, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dsr, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erd, .exf, .fdb, .ffd, .fff, .fhd, .fif, .fla, .flac, .flv, .flvv, .fpx, .fxg, .gif, .gray, .grey, .groups, .gry, .gz, .hbk, .hdd, .hdr, .hpp, .htm, .html, .ibank, .ibd, .ibz, .ico, .ics, .idf, .idx, .iff, .iif, .iiq, .incpas, .indd, .iso, .java, .jnt, .jpe, .jpeg, .jpg, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lit, .log, .lua, .m2ts, .m3u, .m4a, .m4p, .m4v, .mapimail, .max, .mbx, .mdb, .mdc, .mdf, .mdi, .mef, .mfw, .mid, .mix, .mkv, .mlb, .mmw, .mny, .moneywell, .mos, .mov, .mp3, .mp4, .mpd, .mpg, .msg, .myd, .ndd, .ndf, .nef, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obd, .obj, .obt, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .ord, .ost, .otg, .oth, .otp, .ots, .ott, .ova, .p12, .p7b, .p7c, .pab, .pages, .par, .pas, .pat, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .plc, .plus_muhd, .png, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .prn, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .qba, .qbb, .qbm, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .r3d, .raf, .rar, .rat, .raw, .rdb, .rpm, .rtf, .rvt, .rw2, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdf, .sitx, .sldm, .sldx, .sql, .sqlite, .sqlite3, .sqlitedb, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .swm, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tar, .tex, .tga, .thm, .tib, .tif, .tlg, .txt, .vbox, .vcf, .vdi, .veg, .vhd, .vhdx, .vib, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vsc, .vsd, .wab, .wad, .wallet, .wav, .waw, .wb2, .wbk, .wda, .wma, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xmod, .ycbcra, .zip, .zipx, .zpf

When encrypting a file it will append the .wlu extension to the encrypted file's name.

Files encrypted with the WLU Jaff Ransomware Variant
Files encrypted with the WLU Jaff Ransomware Variant

It is not possible to decrypt the Jaff Ransomware WLU Variant

Unfortunately, it is not possible to decrypt .wlu files encrypted by the Jaff Ransomware for free.

The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. If you are unable to restore your files from a backup, I always suggest that victims try and restore their files from Shadow Volume Copies to be safe. A guide on how to do this can be found in the How to recover files and folders using Shadow Volume Copies article. 

As always, if you need assistance with this ransomware or its removal, you can ask for help in our dedicated Jaff Ransomware Help & Support Topic.



See Brad's SANS Diary for a full list of hashes

Jaff WLU Ransom Note:

Files are encrypted!
To decrypt flies you need to obtain the private

The only copy of the private key, which will allow you to decrypt your
files, is located on a secret server
in the Internet.

You must install Tor Browser:

After instalation, run the Tor Browser and enter address:

Follow the instruction on the website.

Your decrypt ID: 1111111111


Network Traffic:


Files associated with the WLU Jaff Ransomware Variant:



Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

Gamma, Bkp, & Monro Dharma Ransomware Variants Released in One Week

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows

New Brrr Dharma Ransomware Variant Released