JCry Ransomware

JCry Ransomware is a malicious application that was supposed to be distributed during the so-called #OpJerusalem attack. Its initiators were targeting popular Israeli websites that after being affected were supposed to show fake messages asking to update a particular plugin, but instead of downloading it, the infected site was supposed to install the malware. Luckily, there was a severe flaw in the hackers’ code, and the plan failed. Further, we will explain why the attack was unsuccessful as well as talk about what JCry Ransomware could do if it entered the system. Moreover, at the end of the article, we will place removal instructions showing how to eliminate this malicious application manually. The process is not particularly complicated, but we always recommend using a reliable antimalware tool instead if the task seems too difficult. Not to mention a security tool can clean the computer from other possible threats and guard it against various infections in the future.

Cybersecurity specialists report the cybercriminals behind JCry Ransomware and the so-called #OpJerusalem attack planned to modify the DNS record used by a popular plugin from nagich.com. As a result, users visiting web pages using this particular plugin were supposed to receive a fake message loaded by a malicious script. This script was designed to check if the victim’s device was running Windows. If the computer appeared to be running Windows, the script would then display a fictitious Adobe Flash Player update message urging to update the plugin. However, there was a flaw in the script's code that made it fail to determine whether the device was running Windows or not. Consequently, instead of the fictitious warning, the infected websites displayed a black page with red text saying: “Jerusalem is the capital of Palestine,” signed by #OpJerusalem. Otherwise, the malware could have infected lots of computers.

If the script had no flaws the sites loading it would have suggested downloading and launching JCry Ransomware’s installer that might be called flashplayer_install.exe. Once started the file should create two executable files named dec.exe and enc.exe, one text document titled PersonalKey.txt, and a script called msg.vbs in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup folder. Some of these files delete themselves right after they complete their tasks, while others ought to stay on the system. Soon enough, the threat should start encrypting various data available on the computer. It should be easy to recognize enciphered files since JCry Ransomware marks them with the .JCry extension, for example, picture.jpg.JCry. Eventually, when the encryption process is finished, the malicious application should drop a file titled JCRY_Note.html on the victim’s Desktop.

The mentioned text document (JCRY_Note.html) is malware’s ransom note. In other words, it contains instructions or demands from the hackers who created the threat. Apparently, they want to get 500 US dollars in Bitcoins in exchange for decryption tools or to be more precise, a unique decryption key. The instructions explain that the key will be uploaded on a particular website, which victims can load on Tor browsers. Needless to say, there are no guarantees the hackers responsible for JCry Ransomware will hold on to their promises and upload the needed decryption tools as promised. Therefore, we would not recommend putting up with any demands if you do not want to put your savings at risk.

All in all, even though the hackers failed to distribute the malware this time, it is entirely possible they could be more successful the next time. Not to mention, the malicious application’s developers could pick easier distribution methods, such as sending targeted victim’s infected email attachments. Knowing this, we would recommend being extra cautious, and if you do encounter JCry Ransomware, we hope our article will help you decide what the best course of action is. In case you choose to erase the threat we can offer the manual deletion instructions available below, although it might be easier to use a reliable antimalware tool. If the hackers make any changes to the malicious application, the provided instructions may no longer work, but a trustworthy security tool should remove it with no trouble.

Erase JCry Ransomware

1. Click Ctrl+Alt+Delete.
2. Choose Task Manager and select Processes.
3. Find a process belonging to the threat.
4. Mark it and click End Task.
5. Exit Task Manager.
6. Click Win+E.
7. Find these paths:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
8. Locate the malicious application’s launcher, for example, flashplayer_install.exe.
9. Right-click it and select Delete.
10. Find this path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
11. Locate files called Dec.exe and PersonalKey.txt.
12. Right-click them and select Delete.
13. Exit File Explorer.
14. Empty your Recycle Bin.
15. Restart the computer.