.sVn Files Virus (Jaff Ransomware) Remove and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

.sVn Files Virus (Jaff Ransomware) Remove and Restore Files

An article created with the agenda to help you remove Jaff Ransomware’s latest variant using !!!!README_FOR_SAVE FILES.txt and .sVn extension and show how to restore encrypted files.

New version of the notorious Jaff ransomware virus has been detected in the wild by malware researcher Marcelo Rivero(https://twitter.com/MarceloRivero). The virus aims to perform significant changes to the files on the infected computers, so that the files can no longer be opened by the victim. It also adds the .sVn file extension to the encrypted files, changes the wallpaper with a ransom note and drops a text file, named !!!!README_FOR_SAVE FILES.txt to scare off the victims into paying the ransom. If you are a victim of the latest .sVn variant of Jaff ransomware, we advise you to read this article thoroughly.

Threat Summary

Name.sVn Files Virus (Jaff)
TypeRansomware, Cryptovirus
Short DescriptionBeing spread by using the same tactics as it’s previous variants. Encrypts the files and then demands a hefty ransom fee to be paid to get them back.
SymptomsEncrypts the files and puts the .sVn file extension as a suffix. Drops a ransom note, named !!!!README_FOR_SAVE FILES.txt with instructions how to pay the ransom. Changes wallpaper to black and white image.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .sVn Files Virus (Jaff)


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .sVn Files Virus (Jaff).
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.sVn Ransomware – Infection

For the infection process, the latest iteration of Jaff continues to use the newly developed scheme of spreading the malicious files by utilizing malicious Microsoft Word documents that are embedded within .PDF files. The latest spam campaign uses the following messages to trick victims into opening the e-mails:

After the victims open the PDF document, they see a message prompting them to open an attached .docm file:

As soon as the victim clicks on the “OK” button on the “Open This File” pop-up box, the PDF file extracts the Microsoft Word document on the computer of the victim. When the document is opened, the victim is asked to click on “Enable Content” to read the contents of the document. However, instead of getting the actual contents, Jaff ransomware infects the computer:

According to malware-traffic-analysis.net there are multiple hosts to which the macro commands are configured connect to download the payload of Jaff .sVn ransomware:

→ 10minutesto1.net – GET /jt7677g6
cafe-bg.com – GET /jt7677g6
community-gaming.de – GET /jt7677g6
cor-huizer.nl – GET /jt7677g6
essentialnulidtro.com/af – GET /jt7677g6
lcpinternational.fr – GET /jt7677g6
luxurious-ss.com – GET /jt7677g6
makh.ch – GET /jt7677g6
myinti.com – GET /jt7677g6
mymobimarketing.com – GET /jt7677g6
oneby1.jp – GET /jt7677g6
seoulhome.net – GET /jt7677g6
sextoygay.be – GET /jt7677g6
squidincdirect.com.au – GET /jt7677g6
studyonazar.com – GET /jt7677g6
supplementsandfitness.com – GET /jt7677g6
zechsal.pl – GET /jt7677g6

.sVn File Jaff Ransomware Analysis

When the victim of Jaff Ransomware opens the malicious files on the infected computer the virus connects to the hosts and downloads the payload on the compromised computer. The virus is coded in the “C” programming language and aims to create multiple Windows registries in the Registry Editor of Windows. These registry strings are created with the suspected goad to launch Windows processes as administrator and perform it’s malicious activity. One of those activities are to run the malicious file of the .sVn Jaff variant automatically on Windows boot.

The Jaff .sVn ransomware also drops it’s ransom note file, named !!!!README_FOR_SAVE FILES.txt and along it, the virus also changes the wallpaper of the victim to a black and white image with the following contents:

“Your decrypt ID: {ID HERE}
Files are encrypted! To decrypt flies you need to obtain the private key.
The only copy of the private key which will allow you to decrypt your files is located on a secret server in the Internet.”

From there, the victim is pointed to a Tor-based web page that aims to convince him to download jaff decryptor, similar to what Locky ransomware(https://sensorstechforum.com/remove-locky-ransomware/) does.

.sVn Files Virus Encryption Process

The encryption of files by .sVn ransomware is perfomed so that only specific types of files are enciphered. The virus hunts for around 400 different file extensions, which are reported to be the following:

→ .xlsx, .acd, .pdf, .pfx, .crt, .der, .cad, .dwg, .MPEG, .rar, .veg, .zip, .txt, .jpg, .doc, .wbk, .mdb, .vcf, .docx, .ics, .vsc, .mdf, .dsr, .mdi, .msg, .xls, .ppt, .pps, .obd, .mpd, .dot, .xlt, .pot, .obt, .htm, .html, .mix, .pub, .vsd, .png, .ico, .rtf, .odt, .3dm, .3ds, .dxf, .max, .obj, .7z, .cbr, .deb, .gz, .rpm, .sitx, .tar, .tar, .gz, .zipx, .aif, .iff, .m3u, .m4a, .mid, .key, .vib, .stl, .psd, .ova, .xmod, .wda, .prn, .zpf, .swm, .xml, .xlsm, .par, .tib, .waw, .001, .002 003, ., .004, .005, .006, .007, .008, .009, .010, .contact, .dbx, .jnt, .mapimail, .oab, .ods, .ppsm, .pptm, .prf, .pst, .wab, .1cd, .3g2, .7ZIP, .accdb, .aoi, .asf, .asp, . aspx, .asx, .avi, .bak, .cer, .cfg, .class, .config, .css, .csv, .db, .dds, .fif, .flv, .idx, .js, .kwm, .laccdb, .idf, .lit, .mbx, .md, .mlb, .mov, .mp3, .mp4, .mpg, .pages, .php, .pwm, .rm, .safe, .sav, .save, .sql, .srt, .swf, .thm, .vob, .wav, .wma, .wmv, .xlsb, .aac, .ai, .arw, .c, .cdr, .cls, .cpi, .cpp, .cs, .db3, .docm, .dotm, .dotx, .drw, .dxb, .eps, .fla, .flac, .fxg, .java, .m, .m4v, .pcd, .pct, .pl, .potm, .potx, .ppam, .ppsx, .ps, .pspimage, .r3d, .rw2, .sldm, .sldx, .svg, .tga, .wps, .xla, .xlam, .xlm, .xltm, .xltx, .xlw, .act, .adp, .al, .bkp, .blend, .cdf, .cdx, .cgm, .cr2, .dac, .dbf, .dcr, .ddd, .design, .dtd, .fdb, .fff, .fpx, .h, .iif, .indd, .jpeg, .mos, .nd, .nsd, .nsf, .nsg, .nsh, .odc, .odp, .oil, .pas, .pat, .pef, .ptx, .qbb, .qbm, .sas7bdat, .say, .st4, .st6, .stc, .sxc, .sxw, .tlg, .wad, .xlk, .aiff, .bin, .bmp, .cmt, .dat, .dit, .edb, .flvv, .gif, .groups, .hdd, .hpp, .log, .m2ts, .m4p, .mkv, .ndf, .nvram, .ogg, .ost, .pab, .pdb, .pif, .qed, .qcow, .qcow2, .rvt, .st7, .stm, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .3fr, .3pr, .ab4, .accde, .accdt, .ach, .acr, .adb, .srw, .st5, .st8, .std, .sti, .stw, .stx, .sxd, .sxg, .sxi, .sxm, .tex, .wallet, .wb2, .wpd, .x11, .x3f, .xis, .ycbcra, .qbw, .qbx, .qby, .raf, .rat, .raw, .rdb rwl, .rwz, .s3db, .sd0, .sda, .sdf, .sqlite, .sqlite3, .sqlitedb, .sr, .srf, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pdd, .pem, .plus_muhd, .plc, .pptx, .psafe3, .py, .qba, .qbr, .myd, .ndd, .nef, .nk, .nop, .nrw, .ns2, .ns3, .ns4, .nwb, .nx2, .nxl, .nyf, .odb, .odf, .odg, .odm, .ord, .otg, .ibz, .iiq, .incpas, .jpe, .kc2, .kdbx, .kdc, .kpdx, .lua, .mdc, .mef, .mfw, .mmw, .mny, .moneywell, .mrw, .des, .dgc, .djvu, .dng, .drf, .dxg, .eml, .erbsql, .erd, .exf, .ffd, .fh, .fhd, .gray, .grey, .gry, .hbk, .ibank, .ibd, .cdr4, .cdr5, .cdr6, .cdrw, .ce1, .ce2, .cib, .craw, .crw, .csh, .csl, .db_journal, .dc2, .dcs, .ddoc, .ddrw, .ads, .agdl, .ait, .apj, .asm, .awg, .back, .backup, .backupdb, .bank, .bay, .bdb, .bgt, .bik, .bpw, .cdr3, .as4

When the file types which Jaff is configured to encode are detected, the virus may use a combination of two strong ciphers to encrypt the files:

  • AES algorithm for the files.
  • RSA algorithm to create unique private and public keys for each file or set of files and make decryption more difficult.

After the files are encrypted, they assume the .sVn file extension and look like the following:

After the .sVn Jaff ransomware has already encrypted the files, it may also delete the shadow volume copies and hence eliminate any change of you restoring your files via Windows backup features. The commands It may use for this to happen are believed to be the following:

→ process call create “cmd.exe /c
vssadmin.exe delete shadows /all /quiet
bcdedit.exe /set {default} recoveryenabled no
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

Remove .sVn Files Virus and Restore Encrypted Files

Before you start removing malicious files and objects created by Jaff on your computer, you should backup the encrypted files, just in case. Then you can proceed with the removal by following the instructions for eliminating Jaff .sVn ransom variant below. They are specifically designed to help you delete the virus either manually or automatically. If you lack the experience in removing malware, experts often advise turning to an advanced anti-malware program which will help you delete the .sVn files virus automatically and protect your computer against future infections.

For the moment, there is no known free decryptor for the .sVn files virus. However, we are closely monitoring the situation and we recommend you to check our blog post for updates. In the meantime, you can try to restore a portion of your encrypted files preferably by using the alternative methods for file recovery in step “2. Restore files encrypted by .sVn Files Virus” below. They are not 100% guaranteed to help you recover all of the encrypted files, but with their aid you may restore a portion of them.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share