Home / Spyware Help / JCry Ransomware Removal Guide

JCry Ransomware Removal Guide

by 0 Comments

Do you know what JCry Ransomware is?

JCry Ransomware is a malicious infection that was supposed to spread on a wide scale when the attackers attempted to infect hundreds of websites in Israel to spread the malicious payload and, potentially, infect thousands of Windows operating systems. Also known as the OpJerusalem Ransomware, this threat was supposed to be spread using a bug in a popular plugin created by nagich.com. According to plan, when the victim visited the website running the plugin, their operating systems would automatically be infected. However, the attack did not work because of an error inside the infection’s code. Unfortunately, we cannot predict what other steps the attackers behind this threat could take to spread it. In this report, we explain the functionality of the infection, and we also show how to delete it. Note that a manual JCry Ransomware removal guide can be found below.

If the devious JCry Ransomware is executed on the Windows operating system successfully, the threat should create a bunch of files in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup folder. These files include Dec.exe, PersonalKey.txt, Enc.exe, and msg.vbs. The latter two should delete themselves automatically after execution; the rest of them you need to remove yourself. After all files are in place, JCry Ransomware should quickly encrypt the personal files that exist. To mark them, the “.JCry” extension should be added to their original names. It was found that the “access denied” message should pop-up once the threat is executed, and that should be a red flag for you. Unfortunately, it is not possible to stop the infection once the encryption is under way. Once the attack is complete, an HTML file called “JCRY_Note.html” is supposed to be created on the Desktop. It is safe to open.JCry Ransomware Removal GuideJCry Ransomware screenshot
Scroll down for full removal instructions

The ransom note created by JCry Ransomware (the .html file) is meant to convince you that you need a decryption key to have the corrupted files restored. To obtain this allegedly existing key, you are instructed to pay a ransom to 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt (Bitcoin wallet address). The full ransom is $500, but you are supposed to pay it in Bitcoins, and that means that you also need to purchase this crypto-currency first. After the payment, you are instructed to download the Tor Browser and visit a website created by the attackers to confirm the payment. At the time of research, this website was down, which means that you would not be able to confirm your payment even if you made it. Paying the ransom requested by JCry Ransomware is not what we recommend doing because although that might be the only option for you, it is not a legitimate option. You are being scammed.

Hopefully, JCry Ransomware does not spread, but the creators behind this infection appear to be quite aggressive, and we would not be surprised to learn that this malware is distributed in some other clandestine manner. This is why it is crucial that you secure your operating system NOW. Most importantly, download and install legitimate anti-malware software. The best thing you can do for yourself is invest in your virtual security, and if you take care of that, you will not need to worry about dangerous threats attacking you. To make sure that at least your files are safe, back them up on an external drive or virtual cloud to ensure that malware cannot get to them.

Remove JCry Ransomware

  1. Go to the Desktop and Delete a file named JCRY_Note.html.
  2. Launch Windows Explorer by tapping Win+E keys.
  3. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup into the quick access field.
  4. Delete these files (some of them should have deleted themselves automatically):
    • Dec.exe
    • Enc.exe
    • msg.vbs
    • PersonalKey.txt
  5. Empty Recycle Bin.
  6. Perform a full system scan using a legitimate malware scanner.

In non-techie terms:

JCry Ransomware is a vicious infection whose creators attempted a mass attack using hundreds of legitimate and popular sites in Israel. Although the attack failed, no one knows what other methods cyber criminals could employ to spread the infection successfully. If it invades operating systems, it can encrypt files and then make victims pay a ransom of $500 in return for a decryption key. It is very unlikely that the key would be given to those who face the infection, and so paying the ransom is the last thing that you should do. Instead, focus all of your energy on deleting JCry Ransomware. You might be able to remove this threat manually, but we recommend using anti-malware software because it can offer full-time protection too, and that is most important if you want to avoid malware attacks in the future.