Severity scale:  
  (98/100)

JCry ransomware. How to remove? (Uninstall guide)

removal by Gabriel E. Hall - - | Type: Ransomware

JCry ransomware is a crypto-virus that was meant  to be delivered to Israeli website visitors in the #OpJerusalem campaign

JCry ransomware
JCry ransomware is a crypto locker that encrypts files and demands ransom of $500 in bitcoin for the decryptor

JCry ransomware is a data locking virus that was spotted in early March 2019, when the malware authors tried to attack thousands of Israeli websites by utilizing Nagich plugin that is used by multiple site developers.[1] However, the scheme failed due to a bug in the code, although the payload could have been distributed with the help of fake Flash Player updates by using flashplayer_install.exe executable. JCry virus takes advantage of AES and RSA encryption algorithms to encrypt data and adds a .jcry marker, denying them access to it after the modifications are performed. The malware drops ransom note JCRY_Note.html, which explains to users that their important files have been encrypted, and they need a decryption key to regain access to them. Hackers ask for $500 worth of Bitcoin to be paid in a provided wallet. Additionally, JCry ransomware spawns a pop-up window Dec.exe which serves the #OpJerusalem message.

Name JCry
Type Ransomware
Related files flashplayer_install.exe, Dec.exe, Enc.exe
Campaign #OpJerusalem #OpIsrael
Cipher AES + RSA
Ransom note  JCRY_Note.html
Ransom size  $500 in Bitcoin
Removal Use reputable security software that can recognize the threat.[2] We recommend using Reimage or Malwarebytes MalwarebytesCombo Cleaner

#OpJerusalem #OpIsrael is an annual cyber-attack campaign used to enforce the Israel-Palestine conflict in the Middle-East against Israel. The attackers who organize the criminal activity are fueled by the goal of “erasing Israel from the Internet” due to political struggle in Gaza strip. This year, on March 2nd, hackers tried to utilize JCry ransomware as a primary attack vector to infect Israeli website users with the malicious code.

However, due to the bug in the code, the payload of JCry ransomware failed to deploy and instead showed “Jerusalem is the capital of Palestine #OpJerusalem” message instead of the original site. The defaced page was intended to be shown to users who are not utilizing the Windows operating system. The flaw in the code made the message to pop-up to every user, however, failing the infection procedure of JCry ransomware entirely.

Nevertheless, JCry virus might be used in other campaigns and distributed by using such methods as spam email attachments or hyperlinks, brute-force attacks, exploit kits, fake updates, etc. Speaking of the latter, the #OpJerusalem attack was meant to be performed with the help of fake Flash updates, so malware authors might use this tactic in the future.

JCry ransomware virus
JCry is a ransomware virus that was intended to be used in #OpJerusalem cybercrime campaign against Israel

The flashplayer_install.exe file drops another two executables – Dec.exe and Enc.exe. The latter is the main executable that generates AES and RSA keys for the encryption. After that, JCry ransomware contacts C&C server[3] to send the relevant information and uploads ransom note JCRY_Note.html, which states:

All Your Important Files have been Encrypted
1- Send 500$ worth of Bitcoin to this Address : 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt
2- Download Tor Browser and Open the following Link : Recovery Link
3- Enter the Address used in Payement
4- We'll check your Payement and upload your Decryption Key
5- Open the same link again (after a while) and enter your Unique ID to get your Decryption Key
Your Unique Key :

Additionally, the Dec.exe delivers another note with ASCII Text Art “#OpJerusalem,” in addition to “Jerusalem is the capital of Palestine” message.

While it is obvious that the authors of the virus are active participants of the movement against Israel, the fact that they are asking for payment indicates that money might be a motivator as well. Which means that infection rate might be increased rapidly, and users all over the world could be targeted.

In case your device got infected with the virus, you should perform JCry ransomware removal using reputable security software that can detect the threat (we recommend using Reimage or Malwarebytes MalwarebytesCombo Cleaner). Entering Safe Mode with Networking is advised, although it might not be needed in every instance.

Once you remove JCry ransomware from your Windows machine, you can start file recovery procedure. Note that no decryptor is yet available, so ways of recovering data are limited to backups, third-party software or ransom payment. Researchers do not recommend paying or contacting criminals, as chances of being scammed are quite high.

Adobe Flash is an unsafe plugin that is often used by fake update malware delivery tactic

Adobe Flash Player has been a major focus of cybercriminals to infect users with malware. Since the plugin is so widely used, fake updates, which claim that the software is outdated, is a popular tactic used among hackers. Additionally, Flash Player is known to have multiple security flaws that render users vulnerable to malware attacks. These bugs are often patched by Adobe, although many people fail to update software on a regular basis.

Due to significant security flaws and plugins' outdated technology, Adobe plans to shut it down by the end of 2020, discontinuing its support.[4] However, the software is not that needed currently, as newer technology and built-in plugins exist in most modern browsers.

JCry virus
Ransomware authors is politically motivated and aim to infect Israeli users

Therefore, it is time to disable Adobe Flash altogether, or at least set it to click-to-run function. Once you stop using the plugin, the danger of installing fake updates will disappear as well. Aside from this, experts also recommend using general safety practices:

  • Employ reputable security software;
  • Use Firewall, VPN, password manager, ad-blocker, and similar tools that can help you increase online safety;
  • Patch your system and software with the latest security updates upon their release;
  • Beware of spam emails – malicious attachments and hyperlinks might lead to malware infection;
  • Avoid using high-risk sites, such as torrent, porn, gambling, etc.;
  • When installing freeware or shareware, always opt for Advanced/Custom installation settings instead of Recommended/Quick ones to avoid optional programs.

Terminate JCry ransomware and only then proceed with file recovery procedure

Before you attempt file recovery, you must remove JCry ransomware from your device. Otherwise, all your backups or recovered files will be encrypted repeatedly.

For complete JCry ransomware removal, you should use anti-malware software that can detect all the malicious entries and remove them. While manual elimination is possible, it requires extensive IT knowledge. Thus, regular users should stay away from tampering with system files, and leave the job to automatic removal tools.

Once JCry virus is terminated, you can connect your backup device or load files from a remote server. If you did not have backups prepared, do not lose hope, as decryption tools are developed by cyberthreat researchers regularly. Additionally, you can also try third-party recovery software that might help you to recover at least some of your files locked by .jcry file virus.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove JCry virus, follow these steps:

Remove JCry using Safe Mode with Networking

In case of ransomware interferes with the AV software, you can utilize Windows' Safe Mode to erase the virus:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove JCry

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete JCry removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove JCry using System Restore

To remove JCry ransomware, you can also make use of System Restore feature:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of JCry. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that JCry removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove JCry from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by JCry, you can use several methods to restore them:

Data Recover Pro might be useful in file recovery

This application is originally designed to recover data that was lost or corrupted. Nevertheless, some users reported that it could also help with files that are encrypted by ransomware. So go ahead and try this software.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by JCry ransomware;
  • Restore them.

Take advantage of Windows Previous Versions feature

This method can only be used if you had System Restore enabled before the JCry ransomware attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

In some cases, ShadowExplorer might recover all your files

If you were lucky and the virus did not delete Shadow Volume Snapshots, ShadowExplorer should be able to retrieve all your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from JCry and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Gabriel E. Hall
About the company Esolutions

References


Your opinion regarding JCry ransomware