JCry virus Removal Guide
What is JCry ransomware?
JCry ransomware is a crypto-virus that was meant to be delivered to Israeli website visitors in the #OpJerusalem campaign
JCry ransomware is a crypto locker that encrypts files and demands ransom of $500 in bitcoin for the decryptor
JCry ransomware is a data locking virus that was spotted in early March 2019, when the malware authors tried to attack thousands of Israeli websites by utilizing Nagich plugin that is used by multiple site developers. However, the scheme failed due to a bug in the code, although the payload could have been distributed with the help of fake Flash Player updates by using flashplayer_install.exe executable. JCry virus takes advantage of AES and RSA encryption algorithms to encrypt data and adds a .jcry marker, denying them access to it after the modifications are performed. The malware drops ransom note JCRY_Note.html, which explains to users that their important files have been encrypted, and they need a decryption key to regain access to them. Hackers ask for $500 worth of Bitcoin to be paid in a provided wallet. Additionally, JCry ransomware spawns a pop-up window Dec.exe which serves the #OpJerusalem message.
|Related files||flashplayer_install.exe, Dec.exe, Enc.exe|
|Cipher||AES + RSA|
|Ransom size||$500 in Bitcoin|
|Removal||Use reputable security software that can recognize the threat. We recommend using ReimageIntego or SpyHunter 5Combo Cleaner|
#OpJerusalem #OpIsrael is an annual cyber-attack campaign used to enforce the Israel-Palestine conflict in the Middle-East against Israel. The attackers who organize the criminal activity are fueled by the goal of “erasing Israel from the Internet” due to political struggle in Gaza strip. This year, on March 2nd, hackers tried to utilize JCry ransomware as a primary attack vector to infect Israeli website users with the malicious code.
However, due to the bug in the code, the payload of JCry ransomware failed to deploy and instead showed “Jerusalem is the capital of Palestine #OpJerusalem” message instead of the original site. The defaced page was intended to be shown to users who are not utilizing the Windows operating system. The flaw in the code made the message to pop-up to every user, however, failing the infection procedure of JCry ransomware entirely.
Nevertheless, JCry virus might be used in other campaigns and distributed by using such methods as spam email attachments or hyperlinks, brute-force attacks, exploit kits, fake updates, etc. Speaking of the latter, the #OpJerusalem attack was meant to be performed with the help of fake Flash updates, so malware authors might use this tactic in the future.
JCry is a ransomware virus that was intended to be used in #OpJerusalem cybercrime campaign against Israel
The flashplayer_install.exe file drops another two executables – Dec.exe and Enc.exe. The latter is the main executable that generates AES and RSA keys for the encryption. After that, JCry ransomware contacts C&C server to send the relevant information and uploads ransom note JCRY_Note.html, which states:
All Your Important Files have been Encrypted
1- Send 500$ worth of Bitcoin to this Address : 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt
2- Download Tor Browser and Open the following Link : Recovery Link
3- Enter the Address used in Payement
4- We'll check your Payement and upload your Decryption Key
5- Open the same link again (after a while) and enter your Unique ID to get your Decryption Key
Your Unique Key :
Additionally, the Dec.exe delivers another note with ASCII Text Art “#OpJerusalem,” in addition to “Jerusalem is the capital of Palestine” message.
While it is obvious that the authors of the virus are active participants of the movement against Israel, the fact that they are asking for payment indicates that money might be a motivator as well. Which means that infection rate might be increased rapidly, and users all over the world could be targeted.
In case your device got infected with the virus, you should perform JCry ransomware removal using reputable security software that can detect the threat (we recommend using ReimageIntego or SpyHunter 5Combo Cleaner). Entering Safe Mode with Networking is advised, although it might not be needed in every instance.
Once you remove JCry ransomware from your Windows machine, you can start file recovery procedure. Note that no decryptor is yet available, so ways of recovering data are limited to backups, third-party software or ransom payment. Researchers do not recommend paying or contacting criminals, as chances of being scammed are quite high.
Adobe Flash is an unsafe plugin that is often used by fake update malware delivery tactic
Adobe Flash Player has been a major focus of cybercriminals to infect users with malware. Since the plugin is so widely used, fake updates, which claim that the software is outdated, is a popular tactic used among hackers. Additionally, Flash Player is known to have multiple security flaws that render users vulnerable to malware attacks. These bugs are often patched by Adobe, although many people fail to update software on a regular basis.
Due to significant security flaws and plugins' outdated technology, Adobe plans to shut it down by the end of 2020, discontinuing its support. However, the software is not that needed currently, as newer technology and built-in plugins exist in most modern browsers.
Ransomware authors is politically motivated and aim to infect Israeli users
Therefore, it is time to disable Adobe Flash altogether, or at least set it to click-to-run function. Once you stop using the plugin, the danger of installing fake updates will disappear as well. Aside from this, experts also recommend using general safety practices:
- Employ reputable security software;
- Use Firewall, VPN, password manager, ad-blocker, and similar tools that can help you increase online safety;
- Patch your system and software with the latest security updates upon their release;
- Beware of spam emails – malicious attachments and hyperlinks might lead to malware infection;
- Avoid using high-risk sites, such as torrent, porn, gambling, etc.;
- When installing freeware or shareware, always opt for Advanced/Custom installation settings instead of Recommended/Quick ones to avoid optional programs.
Terminate JCry ransomware and only then proceed with file recovery procedure
Before you attempt file recovery, you must remove JCry ransomware from your device. Otherwise, all your backups or recovered files will be encrypted repeatedly.
For complete JCry ransomware removal, you should use anti-malware software that can detect all the malicious entries and remove them. While manual elimination is possible, it requires extensive IT knowledge. Thus, regular users should stay away from tampering with system files, and leave the job to automatic removal tools.
Once JCry virus is terminated, you can connect your backup device or load files from a remote server. If you did not have backups prepared, do not lose hope, as decryption tools are developed by cyberthreat researchers regularly. Additionally, you can also try third-party recovery software that might help you to recover at least some of your files locked by .jcry file virus.
Getting rid of JCry virus. Follow these steps
Manual removal using Safe Mode
In case of ransomware interferes with the AV software, you can utilize Windows' Safe Mode to erase the virus:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove JCry using System Restore
To remove JCry ransomware, you can also make use of System Restore feature:
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of JCry. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove JCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by JCry, you can use several methods to restore them:
Data Recover Pro might be useful in file recovery
This application is originally designed to recover data that was lost or corrupted. Nevertheless, some users reported that it could also help with files that are encrypted by ransomware. So go ahead and try this software.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by JCry ransomware;
- Restore them.
Take advantage of Windows Previous Versions feature
This method can only be used if you had System Restore enabled before the JCry ransomware attack.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
In some cases, ShadowExplorer might recover all your files
If you were lucky and the virus did not delete Shadow Volume Snapshots, ShadowExplorer should be able to retrieve all your files.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No decryption tool is available yet.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from JCry and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Choose a proper web browser and improve your safety with a VPN tool
Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.
Lost your files? Use data recovery software
While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.
To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.