JNEC.a ransomware (Removal Guide) - Decryption Steps Included
JNEC.a virus Removal Guide
What is JNEC.a ransomware?
JNEC.a ransomware is a file locking malware that spreads with the help of WinRAR code execution vulnerability
This new ransomware string encrypts users' data and demands a ransom to be paid for the decryptor that does not even work
JNEC.a ransomware is a new malware string that was recently discovered by security researchers at 360 Threat Intelligence Center. Written in the .NET programming language, the malware takes advantage of a WinRAR vulnerability to spread.
The threat uses a sophisticated encryption algorithm to comprehensively lock personal pictures, databases, documents, spreadsheets, and other files and then appends a .Jnec extension, preventing users from operating any of the data located on the PC.
Afterward, the virus drops a pop-up window with basic information, such as the number of files encrypted, ransom size (0.05 BTC), the Bitcoin wallet, and a generated email address that the victim needs to create on Gmail web service, which will allow the attackers to send the alleged decryptor through. Nevertheless, excessive research of the virus showed that even the ransomware authors would not be able to decrypt locked files, so paying the ransom is completely pointless.
|Related files||GoogleUpdate.exe, JNEC.A.exe, vk_4221345.rar, iku_m2VtkXA.jpg|
|Distribution||19-year old WinRAR vulnerability|
|Ransom demand||0.05 BTC|
|Decryptabe?||No, but paying the ransom is useless as even the malware author would not be able to decrypt data|
|Removal||Use security software that can recognize and safely remove the malware|
|Recovery||Scan your PC with the RestoroIntego system diagnostics tool to recover from virus damage|
In addition to a pop-up window, this infection also drops a text file called JNEC.README.TXT just so that users could properly comprehend what to do next. The message states:
Deposit amount: 0.05 BTC
BTC Address: 1JK1gnn4KEQRf8n7pHZiNvmV8WTXfq7kVa
Your ID: [redacted]
Your Email: [redacted] (Create a mail to get the decryption key)
Ransomware viruses generate the ID of the victim individually, which is ten consequently tied to a unique decryption key stored on a remote server. JNEC.a virus authors ask users to create the Gmail account using this ID, where they allegedly would receive the decryptor to.
At the time of the writing, 34 AV engines recognized this hazardous virus as:
- Trojan.BTCWare – Malwarebytes
- Trojan:Win32/Pynamer.B!ac – Microsoft
- Win32:Malware-gen – AVG
- Ransom.Win32.JNEC.A – Trend Micro
- UDS:DangerousObject.Multi.Generic – Kaspersky
Therefore, to remove this ransomware, you should download reliable anti-malware tools such as SpyHunter 5Combo Cleaner or Malwarebytes. Afterward, we highly recommend scanning your device with the RestoroIntego system optimizer to recover your system from the damage done by the virus.
File locker was discovered in mid-March and is spread with the help of 19-year-old WinRAR vulnerability
The infection procedure and a 19-year old WinRAR vulnerability
Security researchers at Check Point recently unveiled a devastating vulnerability that has been affecting the file compressor software WinRAR for over 19 years – CVE-2018-20250. The file archiver is one of the most popular software of such kind, available in 46 languages, so the discovery of vulnerability is huge.
According to researchers, the vulnerability can be exploited by at least 100 different exploits, which puts over 500 million users at risk. To stop the vulnerability in the unacev2.dll library from being exploited, the developers had to stop the support for all ACE format versions from build 5.70.
The payload of JNEC.a ransomware is hidden inside a compressed .rar file called vk_4221345.rar, which users can download from anyone on the internet. When trying to open it, they are presented with a picture (iku_m2VtkXA.jpg) of a female, although the image seems o be corrupted. This might seem like a normal behavior due to failed decompression of the archive.
Victims who use vulnerable versions of WinRAR, who attempt to open the picture, will be automatically infected with this article's culprit. The vulnerability allows this malware to place the main executable GoogleUpdate.exe into the Windows Startup folder, which consequently lets the malicious program boot every time the operating system is launched.
The file encryption process takes much longer than usual, as all the files are encrypted fully – meaning that all the data in the binary file are encrypted instead of a part of it. Additionally, due to the bug in the encryption process, even the virus creators would not be able to decrypt it.
Instead, victims should focus on JNEC.a ransomware removal procedure. Those who had no backups are most likely doomed to lose their files forever, although third-party software might be helpful in some cases. Additionally, researchers might create an official decryptor, and then you could retrieve all the data encrypted by this cryptovirus for free.
This particular cryptovirus is infecting users of vulnerable WinRAR versions using a vk_4221345.rar archive
Include software updates into your computer usage routine to avoid malware authors exploiting its vulnerabilities
Software vulnerabilities are bugs that allow attackers to use exploit kits to execute commands on the affected machine remotely. This means that if you have a piece of software installed that is not patched, hackers might abuse the flaw to install malware on your system. While the process still depends on users' activities (such as downloading a file or visiting a compromised website), the software flaw is what ultimately results in system compromise.
For that reason, you should apply software patches to all the installed applications as soon as possible. The best way to do so is by allowing the app to update itself – most developers implement an automatic update feature. However, those who have it turned off not only risk being exploited by malware authors but also running into fake update sites that host unwanted or even malicious programs.
The best example comes from Adobe Flash Player, as hackers have been exploiting the program for years now, despite numerous patches. Additionally, having comprehensive security software installed is mandatory, as it can warn users of the incoming threats and prevent them from infecting the machine in the first place.
Remove JNEC.a ransomware by using a security tool that can detect the threat
Due to the nature of malware, manual ransomware removal is not recommended to anyone. Instead, you should make sure to install a security application such as SpyHunter 5Combo Cleaner or Malwarebytes that can detect the malware and eliminate it promptly. However, before you can accomplish that, we recommend you enter Safe Mode with Networking, as the virus might prevent security anti-malware software from operating correctly.
Unfortunately, there are very few chances to retrieve files locked by this file-locking parasite if you had no backups ready. Nevertheless, do not lose hope, as a recovery of at least some of your data might be possible with the help of third-party software. Check out the instructions below.
Please remember that you need to remove JNEC.a ransomware before this, as all the recovered files will be repeatedly locked, rendering the recovery process useless. It is also recommended to perform system diagnostics with the RestoroIntego software before proceeding with file recovery.
Getting rid of JNEC.a virus. Follow these steps
Manual removal using Safe Mode
To remove ransomware without interruptions, enter a safe environment on Windows as explained below and then perform a full system scan using anti-malware software:
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove JNEC.a using System Restore
Make use of System Restore in order to terminate the virus:
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of JNEC.a. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove JNEC.a from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
Paying ransom for hackers is pointless, as proved by security researchers. Instead, try out using third-party recovery software that might be able to help.
If your files are encrypted by JNEC.a, you can use several methods to restore them:
Data Recovery Pro is a professional tool that might be just right for the process
This application is originally designed to retrieve data that was corrupted or accidentally deleted. Nevertheless, it might also be useful when files are locked by ransomware.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by JNEC.a ransomware;
- Restore them.
Make use of Windows Previous Versions feature
This method can only work if you had System Restore enable before the ransomware attack.
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer might recover your files in some cases
If you were lucky enough and the virus failed to delete Shadow Volume Copies, use ShadowExplorer to recover your data.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
No decryptor is currently available
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from JNEC.a and other ransomwares, use a reputable anti-spyware, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.
- ^ 360 Threat Intelligence Center. Warning!!!Possibly the first #ransomware (vk_4221345.rar) spread by #WinRAR exploit. Twitter. Social Network.
- ^ JNEC.A.exe. Virus Total. URL and file analyzer.
- ^ CVE-2018-20250 Detail. NIST. National Vulnerability Database.
- ^ Craig Schmugar and Mark Olea. Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250). McAfee. Security research blog.
- ^ Jake Doevan. Microsoft and Adobe security updates patch several vulnerabilities. 2-spyware. Cybersecurity news and articles.