The Jaff ransomware by the Necurs botnet is a ransomware that is loaded onto vulnerable computers. It is usually distributed through suspicious PDF files that have an embedded executable .docm file with malicious macro. Once inside a victim’s computer, the ransomware will scan for predetermined file types, and encrypt them with asymmetric encryption, meaning that a special key will be required to decrypt individual files.
The Jaff ransomware was released in 2017, at about the same time that the WannaCry ransomware was wreaking havoc across the world. And just like the WannaCry virus, the Jaff malware infected thousands of computers worldwide.
What Can Jaff Ransomware Do?
The infection process by the Jaff ransomware begins when a victim runs the macro on the infected Microsoft Word DOCM document. Once inside a computer, the Jaff malware will search for files matching 424 specific file extensions and encrypt them. It will then append a .jaff extension to every one of the encrypted files so that if the original file was myimage.jpg, it becomes myimage.jpg.jaff.
After the encryption process is complete, the malware leaves behind a ransom note indicating the ransom amount to be paid (2 Bitcoins) and where it needs to be sent. Cybersecurity researchers have observed that the authors of the Jaff ransomware copied the payment request code from another notorious ransomware called Locky.
How to Remove the Jaff Ransomware
Removing the Jaff ransomware from your computer is no walk in the park as it uses stealthy techniques to keep anti-malware programs from detecting its presence until it is too late.
For example, once it downloads the malware file, the Jaff ransomware starts decrypting its own malware code and a code redirection routine is used to stretch the time it takes for an anti-malware program to analyze the malicious code. It is able to achieve this because it incorporates lots of garbage code that plays no part in its execution. Even after an anti-malware program analyze the malicious code, it still faces the difficult task of identifying the API names that the Jeff ransomware uses, given that Jaff uses hashing techniques to hide its APIs.
Luckily, Microsoft has shared some stealthy techniques with its security partners, meaning that all you need to remove the Jaff ransomware is a powerful anti-malware solution such as Outbyte Anti-Malware.
To isolate the malware, you need to run your Windows device in Safe Mode with Networking. Safe Mode is a basic Windows state that runs on a minimum of Windows apps and settings, and is excellent for troubleshooting Windows issues.
Here is how to boot your Windows PC to Safe Mode with Networking:
- Press the Windows + I keys on your keyboard to open Settings.
- On the Settings app, go to Update & Recovery.
- Under Advanced Startup, select Restart now.
- On the Choose an Option screen that appears once your computer restarts, select Troubleshoot > Advanced options > Startup Settings > Restart.
- Once your computer restarts again, press the F5 key to choose Safe Mode with Networking.
Safe Mode with Networking will let you access network resources, such as the internet, which you can use to download utility tools or learn more about the Jaff ransomware removal process.
Once the anti-malware has successfully dealt with the virus, you now need to clean your computer with a PC repair tool. The repair tool will clear all junk files, repair broken registry entries, and improve the overall performance of your device. If you are using a Mac, the equivalent of the Windows PC repair tool is Tweakbit MacRepair.
Now that you have removed the malware from your computer and cleaned it with a PC repair tool, it is high time that you took advantage of some Windows recovery options.
The recovery options include Startup Repair, Command Prompt, System Image Recovery, System Restore, Go back to the previous version, Refresh this PC, and Reset this PC. This article will show you how to perform two of these.
System Restore is a Windows recovery option that lets you undo any changes to your computer’s system files past a certain restore point. This means that you can use System Restore to remove an app or any problematic programs, including malware entities and their dependencies.
To get to the System Restore option, take the following steps:
- Go to the Windows search box and type “create a restore point”.
- Click on the first result of this search to get to the System Properties app.
- On the System Properties app, go to the System Protection tab and tap System Restore.
- Choose a restore point from the list of restore points that are available on your computer. If you don’t have restore points available, consider using other Windows recovery options.
- After selecting a restore point, follow the on-screen instructions to complete the process.
Reset This PC
The other Windows recovery option that we are going to be looking at is the Reset This PC option. This lets you keep a copy of your files, although in this case, you shouldn’t bother given that they are already encrypted by the Jaff ransomware.
Here are the steps to take to reset your PC:
- Hold and press the Windows and I keys to get to the Settings app.
- Click on Update & Recovery > Recovery.
- Under the option Remove everything and reinstall Windows tap Get Started.
- Follow the on-screen instructions to complete the process.
If you follow the steps outlined above, starting by downloading a premium anti-malware software, you will successfully complete the Jaff ransomware removal process.
Some folks might be wondering if it is worth paying the ransom as part of dealing with the Jaff ransomware. Well, while it is within your right to pay the ransom amount, it is not something that we would recommend as it only encourages cybercriminals to create ever powerful ransomware threats. Not to mention, there is really no guarantee that once you pay the ransom that you will get your files back as there are cases where the cybercriminals went silent after receiving the ransom amount.
What we would ask you to do instead is to keep a backup of your files preferably in the cloud so that even if you are a victim of a nasty ransomware attack, you don’t have to part with anything because all your files are within arm’s reach.
Also, refrain from opening attachments from unknown sources. It is best to verify the authenticity of that strange email that once in a while comes your way.
A Computer Engineer by degree and a writer by profession, Cathy Trimidal writes for Software Tested and Outbyte. For years now, she has contributed articles focusing on the trends in IT, VPN, web apps, SEO, and digital marketing. Although she spends most of her days living in a virtual realm, she still finds time to satisfy her infinite list of interests.