Security researchers have found a weakness in the increasingly common Jaff ransomware that makes it possible to unlock files that are held for ransom by the attack.
That weakness can be exploited by a free tool created by researchers at Kaspersky Lab, which is able to recover important files by creating decryption keys that undo the encryption protocol used by Jaff ransomware.
“We have found a vulnerability in Jaff’s code for all the variants to date. Thanks to this, it is now possible to recover users’ files [encrypted with the .jaff, .wlu, or .sVn extensions] for free,” Kaspersky Lab said in a statement.
The Jaff ransomware attack is relatively new, first identified last month. Its spread is linked to the Necurs botnet — a collection of compromised, internet connected devices that can be controlled by a host to distribute malicious attacks.
The same botnet spreading the Jaff ransomware has also been linked to the Locky and Dridex campaigns, both of which acted similarly to infect a user’s machine, encrypt files and demand a ransom before unlocking the user’s files.
The attacks, including Jaff, are primarily carried out by spam campaigns that include PDF or Microsoft Word documents attached. Contained in those documents are hidden downloaders that act in the background to install the ransomware on the machine.
According to researchers examining how the Jaff ransomware operates, the malicious software is downloaded when a recipient attempts to open the .PDF file attached to the email. Once installed, it begins encrypting a user’s files to make them inaccessible.
After it has locked up the user’s files, the malware then demands the victim pay between 0.5 to two bitcoin (currently valued at between $1,500 to $5,000) to the attackers to regain access to the files.
Earlier this month, researchers discovered the Jaff ransomware contained a strain of malware that was also shared by a black market bazaar found to be selling stolen bank and credit card account information. It’s unclear if there is a connection to Jaff and the credit data being sold.
Kaspersky said the top countries affected by Jaff thus far include China, India, Russia, Egypt and Germany.
Kaspersky Lab has released a number of decryption tools that defeat ransomware attacks. Previously, the security researchers have created ways to undermine variants of CoinVault, TeslaCrypt, Wildfire and Crybola attacks as part of its No Ransom project.
Ransomware attacks like Jaff have become more common in recent years. According to a report published earlier this year by Symantec, ransom efforts increased by 36 percent and ransom demands spiked by 266 percent in 2016. More than 100 new variants of ransomware were discovered in the wild over the course of last year.