Jest Ransomware Removal Guide

Do you know what Jest Ransomware is?

Jest Ransomware is a Windows infection that is built to encrypt files. Once they are encrypted, the “.jest” extension is appended to names, and so it only takes one glance to see which files were encrypted and which ones were not. While this malicious threat does not encrypt system files – which ensures that it runs normally – it can encrypt personal files, which should prevent you from accessing photos, videos, archives, documents, and other files you might have created on your own or that you might have been sent by others. Some of these files might be replaceable, but your personal photos and documents might not be. That depends on whether or not someone else owns copies or if you have your own copies stored outside the infected computer. In any case, while we cannot promise that you will get your files back, we can promise that you will remove Jest Ransomware.

Just like most file-encrypting threats nowadays – including Ooss Ransomware, HorseLeader Ransomware, or Mado Ransomware – the malicious Jest Ransomware is likely to use remote access vulnerabilities, spam emails, and packaged downloaders (where several files/programs are carried by the same installer) to invade operating systems. That can be done successfully only if security software is not installed to catch and delete malware or if victims themselves do not recognize and delete malware immediately. After execution, Jest Ransomware drops files to %ALLUSERSPROFILE%. They include 1.bmp, {random name}.exe (launcher), chk.dat, encryptedfiles.eco, MSWINSCK.OCX, note.ini, recover.exe, and rps.exe. The file called “1.bmp” changes the Desktop wallpaper image and “note.ini” represents the ransom note that most file-encryptors use to terrorize victims. The image displayed on the Desktop informs that files were encrypted and that the reader needs to find “Decryption Notes” on Desktop to find more information.Jest Ransomware Removal GuideJest Ransomware screenshot
Scroll down for full removal instructions

“README - Decryption Note.lnk” is the shortcut of “note.ini” dropped on the Desktop. The message represented via this file tries to convince the victims of Jest Ransomware that they need a special “decryption service” if they want to be able to recover the encrypted files. The message instructs to pay a ransom of 0.3 Bitcoin to decrypt files, and that is a lot of money. Cryptocurrency exchange rates shift minute by minute, but when we researched the infection, 0.3 Bitcoin was $2,754. When we checked the Bitcoin Wallet (1MZJgjrDz6h6TPwRAxuh1gEWh2AETrNBAy), to which the payments are requested, it was completely empty, and we hope that it stays that way. Unfortunately, even if you pay the ransom, you are unlikely to get your files decrypted. That is because the attackers behind Jest Ransomware have no obligation to provide you with a decryptor. All they care about is money, and once they get it, they can forget about you and your encrypted files.

Since at the time of research a free decryptor that could decipher Jest Ransomware did not exist, it seems that you can salvage your files only if you can replace them. Hopefully, you have your own copies stored online or on external drives, but you should transfer them onto your computer (if that is necessary) only after you delete Jest Ransomware. So, how do you do that? The instructions below should make it possible for you to remove the infection manually. Note that the name of the launcher is unique in every case, and so you have to be careful when identifying it. The name of this file, however, can be revealed via the Registry Editor, as shown in the guide below. Unfortunately, even if you solve the malware problem, you still need to solve the Windows security problem. This is why we recommend installing anti-malware software right away. Not only will it protect your system but will also automatically delete all infections.

Remove Jest Ransomware

  1. Tap Windows and R keys on the keyboard to launch Run.
  2. Enter regedit into the dialog box and click OK to access Registry Editor.
  3. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  4. Find the value that belongs to ransomware (it could be named VYCWMR and its value data should point to the location of a malicious {random name}.exe file in C:\ProgramData\).
  5. If you can identify the ransomware value, right-click it and select Delete.
  6. Exit Registry Editor and then tap Windows and E keys to launch File Explorer.
  7. Enter %ALLUSERSPROFILE% into the quick access field at the top to access the directory.
  8. Right-click and Delete these files:
    • 1.bmp
    • {random name}.exe (the name of the file linked to the value in step 4)
    • chk.dat
    • encryptedfiles.eco
    • MSWINSCK.OCX
    • note.ini
    • recover.exe
    • rps.exe
  9. Enter %USERPROFILE%\Desktop into the quick access field at the top, or go to Desktop.
  10. Right-click and Delete these files:
    • Decryptor.lnk
    • README - Decryption Note.lnk
  11. Exit File Explorer and then Empty Recycle Bin.
  12. Perform a full system scan to check for leftovers using a trusted malware scanner tool.

In non-techie terms:

Jest Ransomware is a very dangerous infection that can use stealthy methods to slither into unguarded Windows operating systems. If it succeeds, it then can encrypt files, which ensures that victims cannot read their own files. If files are replaceable, or if copies exist outside the infected computer, you are in a very good position. In either case, deleting Jest Ransomware is important. This infection can auto-start with Windows, and you certainly do not want to connect to your backups via an infected computer. So, the first thing you should do is remove the infection. While some users might be able to eliminate this malware manually using the instructions above, our recommendation is that you implement anti-malware software right away. It will automatically secure your system to keep new infections away, and it will also automatically erase every single malicious file that exists on your system this very moment.