Skip to content ↓ | Skip to navigation ↓

A new ransomware threat called .Jaff Virus File Ransomware has been discovered. Early signs were pointing to the virus potentially being a new variant of the much feared Locky Virus. However, it turns out this is not the case after all.

.Jaff Virus File is yet another addition to the fearsome ransomware cyber threat family – it has just been unleashed onto the public, and has been written in a C language. Just as its predecessors before it, the .Jaff Virus ransomware is capable of encrypting a large variety of different file types on the victim’s machine.

Once it is inside the targeted system, it will immediately get to work, making a significant portion of the data stored on it inaccessible. Affected users will notice that the extensions of their familiar files have been changed to .Jaff file virus extensions.

After all of the data the virus was after has been encrypted, it will then proceed to display and a rather disturbing message on the victim user’s screen called ReadMe.htm, ReadMe.txt or ReadMe.bmp. Much like many previous ransomware viruses, the criminals behind this ransomware will inform the users of the damage that has been done.

Their ransom demands are outlined in a “jaff decryptor system” note and amount to the staggering 2.036 bitcoins or roughly $3,726. We would like to make a strong point here, and most security experts will certainly agree, that complying with the ransom requirements is all but advisable.

Transferring payments to the hackers will undoubtedly prompt them to continue with their criminal scheme. But what’s more, it will not necessarily grant you access to your encrypted data. In fact, chances are rather slim that it will.

.Jaff Virus File appears to be spreading using the same Necurs botnet, which led many researchers to suspect it’s a new variant of the Locky ransomware. Users should be on the lookout for suspicious emails from unfamiliar or otherwise shady sources.

Note that hackers are quite cunning and use elaborate techniques to make their contaminated messages seem as trustworthy as possible. Especially keep an eye out for messages containing file attachments. We recommend avoiding any and all interaction with this sort of correspondence and by no means should you open the enclosed files, if you happen to open an email containing such.

As for those unfortunate users, who have already fallen prey to this malicious script, there are other means for countering the harmful effects that do not involve paying the ransom. First and foremost, it is highly important that the ransomware be removed before any other actions take place. This will prevent recidivism from occurring.

Recovering the affected data from the system or other backups, as well using a specialized decryptor are your best chances for success. Stay tuned for future updates on this newest threat.


daniel sadakovAbout the Author: Daniel Sadakov has a degree in Information Technology and specializes in web and mobile cyber security. He harbors a strong detestation for anything and everything malicious and has committed his resources and time to battling all manners of web and mobile threats. He has founded, a website dedicated to covering the top tech stories and providing useful tips for the everyday user, in an effort to reach and help more people.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.