Jack Ransomware Removal Guide

Do you know what Jack Ransomware is?

The end of ransomware is nowhere in sight, and we keep encountering threats like Jack Ransomware. This particular infection belongs to the Crysis/Dharma Ransomware, and it was created using an open-source code that anyone can purchase and use to terrorize Windows victims. Other threats that derive from the same code include HACK Ransomware, paydra@cock.li Ransomware, and 0day Ransomware. It is impossible to know who is using the malware code, and it is even possible that the same attackers are behind a bunch of threats from the Crysis/Dharma family. Although we can talk about them all, in this report, we focus on the removal of Jack Ransomware. Of course, the same tips apply to all victims of malware from the same family, and even other families, in some cases.

To understand Jack Ransomware, we need to understand the origins of this infection. As you now know, the creator of this malicious threat is unknown, but we can predict how this malware might invade your operating system. According to our team, this threat is most likely to use RDP flaws and spam emails. Unpatched vulnerabilities within RDP allow remote attackers to drop and execute malware onto your computer without your input or notice. When it comes to spam emails, the attackers set up misleading messages to trick victims into executing malware by opening attached files. If the devious Jack Ransomware is executed successfully, files are immediately encrypted, and while you can discover which files were corrupted by checking which ones cannot be read, all you really have to do is look at the files’ names. The “.id-[ID].[lockhelp@qq.com].jack” extension should be added to them all.Jack Ransomware Removal GuideJack Ransomware screenshot
Scroll down for full removal instructions

After encryption, Jack Ransomware launches a window entitled “lockhelp@qq.com,” and the message inside this window warns that files were encrypted and that the victim must email lockhelp@qq.com within 7 days to get information on how to recover the files. The message also informs that the attackers expect money to be transferred to their Bitcoin Wallet in return for a decryptor tool. The threat is demanding a ransom payment, and that is why it is classified as ransomware. The exact sum is not revealed, and we assume that victims would be introduced to it after they emailed the attackers. Jack Ransomware also uses the file named “RETURN FILES.txt” to introduce victims to the same email address. So, should you go for it? Should you send the attackers a message? Should you pay the ransom? That is up to you, but we do not recommend getting involved because the attackers are unlikely to give you anything that you need. Unfortunately, recovering the money once it is transferred is impossible.

Do not be intimidated by the manual Jack Ransomware removal guide. There are quite a few steps, but the instructions should make them easy enough to follow. Another solution is to install anti-malware software that can delete Jack Ransomware automatically. Unfortunately, no matter how you eliminate this malicious infection, your files will not be decrypted. A legitimate decryptor that could restore your files does not exist either. Of course, you could take the risk of paying the ransom, but we would never recommend doing it because it is unlikely that you would get your files decrypted. If you have backups stored outside the computer, you do not need to worry about recovering the encrypted files. Do not forget about this in the future because as long as backups exist, you do not need to fear loss or damage.

Remove Jack Ransomware

  1. Delete recently downloaded malware files and all copies of the RETURN FILES.txt file.
  2. Simultaneously tap Win+E keys to access Windows Explorer.
  3. Enter the following paths into the quick access field to find and Delete malicious [unknown name].exe:
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %WINDIR%\System32\
  4. Go to these directories to find and Delete the file named Info.hta:
    • %APPDATA%
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %WINDIR%\System32\
  5. Simultaneously tap Win+R keys to access the Run dialog box.
  6. Enter regedit and click OK to launch the Registry Editor.
  7. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  8. Delete all values linked to malicious [unknown name].exe and Info.hta files.
  9. Close all windows and then Empty Recycle Bin.
  10. Employ a trusted malware scanner to check for leftovers that might still require removal.

In non-techie terms:

The malicious Jack Ransomware slithers in silently or using tricks, then it encrypts files, and, finally, it uses a ransom message to make victims perform certain actions. This infection was created to make money, and the attackers expect all victims to succumb to their demands. To ensure that more victims are convinced to do it, they promise to decrypt all files, but we do not know if this promise is not empty. Most likely it is because the attackers would not benefit in any way by helping their victims out. Unfortunately, once files are encrypted, nothing can be done to decrypt them. Even legitimate decryptors cannot decode the encryptor. Ultimately, your files can be saved only if you have backup copies stored someplace safe, in which case, replacing the encrypted files should not be difficult. Whatever happens, removing Jack Ransomware is crucial, and if you cannot do it manually, employ a tool that will do it automatically.