JCry Ransomware

Also Known As: JCry virus
Distribution: Low
Damage level: Severe

JCry ransomware removal instructions

What is JCry?

JCry is a high-risk ransomware designed to stealthily infiltrate computers and encrypt stored data. Research results show that developers tried to proliferate JCry by exploiting a certain web plug-in implemented in various Israeli websites. However, due to a faulty in source code, they failed. JCry is designed to encrypt data and append filenames with ".jcry" extension (e.g., "sample.jpg" is renamed to "sample.jpg.jcry" and so forth). Once data is encrypted, JCry opens a pop-up window and generates an html file ("JCRY_Note.html") and drops a copy in every existing folder.

As with most of ransomware-type infections, JCry's html file delivers a message informing victims about the encryption and making ransom demands. It is said that victims must send cyber criminals $500 worth of Bitcoins in order to receive a decryption key and successfully recover data. No additional information regarding the encryption is provided. Therefore, it is currently unknown whether JCry uses symmetric or asymmetric cryptography. Nevertheless, it is sure that each victim gets a unique decryption key and restoring data without it is impossible. For this reason, cyber criminals hide all decryption keys in a remote server and blackmail victims. Now keep in mind that cyber criminals cannot be trusted and you should never attempt to contact these persons and certainly not send them any money. Research results show that ransomware developers often ignore victims once the ransoms are paid. In other words, victims pay and get nothing in return. Therefore, you should never believe them and all encouragements to contact these persons/pay ransoms should be ignored. Unfortunately, there are no tools capable of cracking JCry's encryption and restoring data for free. This means that the only possible solution is to restore everything from a backup, if there is one created.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:

JCry decrypt instructions

Internet is full of ransomware-type viruses similar to JCry. Promok, Frendi, ARTEMY - these are only few examples from a long list. Notice that even though the developers are different, all of these viruses behave almost exactly the same: encrypt data and make ransom demands. In most cases infections like JCry have only two major differences: 1) price for the recovery, and; 2) type of cryptography used. Unfortunately, ransomware-type viruses usually employ algorithms like RSA, AES, and/or other that generate unique decryption. Hence, unless the virus is still in development and/or has certain bugs/flaws, restoring data manually (without developers interfering) is impossible. Ransomware presents a strong case for maintaining regular data backups. However, be sure to store them in unplugged storage devices or remote servers. Backups that are stored locally will probably be encrypted alongside with regular data.

How did ransomware infect my computer?

As mentioned above, JCry is promoted via compromised websites. Developers modified the DNS record of one of popular web access plug-ins from nagich.com website. It is also worth noting that cyber criminals mainly target Israeli websites. Once a website that uses the compromised plug-in is visited, users are redirected to a page that performs certain actions. Firstly, the site checks whether the visitor is using Windows operating system or not. The idea behind the script is to feed Windows users with fake pop-up messages claiming that their Adobe Flash Player is out-of-date and encouraging them to update it. However, the script contains a small, yet fatal flaw. One of the "if" statements which decides what actions to perform contains an error. Therefore, even if visitor is actually using Windows OS, he/she is treated as a non-Windows user and, thus, the fake Adobe Flash Player pop-up never occurs. However, keep in mind that this error is easily fixable, therefore, chances that the problem will be resolved and cyber criminals will continue to use this method are high. Ransomware-type infections are also likely to be distributed using email spam campaigns, third party software download sources, cracks, and trojans. Spam campaigns are used to send malicious attachments (which are usually presented as important documents) to hundreds of thousands of recipients. The emails also contain deceptive messages encouraging to open attached links/files. Yet doing so results in various system infections. Freeware download websites, free file hosting sites, peer-to-peer (P2P) networks (such as torrents, eMule, etc.) are used to spread malware by presenting it as legitimate software. Users simply get tricked into downloading and installing malware manually, by themselves. The idea behind cracking tools is to bypass paid software activation without paying. Yet most of them are used to spread infections, which is why users often end up downloading and installing malware, rather than gaining access to paid features. Last, but not least, are trojans. These are malicious applications that stealthily infiltrate computers and continually inject additional malware.

How to protect yourself from ransomware infections?

In order to prevent such computer infections users must be very cautious when downloading/installing/updating software, as well as browsing the Internet. Be sure to download apps only from official sources, via direct download links. Third party downloaders/installers often include rogue apps, which is why such tools should never be used. Same goes for software updates. It is important to keep installed applications and operating system up-to-date. However, this should be achieved only through implemented functions or tools provided by the official developer. Never use any software cracking tools because software piracy is considered a cyber crime and, if that wasn't enough, the risk of infections is extremely high. It is also advised to think twice before opening email attachments. If the sender looks suspicious/unrecognizable or if the received link/file is irrelevant then do not open anything. Lastly, always have a reputable anti-virus/anti-spyware suite installed and running. Such tools are very helpful, because they're more than likely to detect and remove malware before the system is harmed. If your computer is already infected with JCry, we recommend running a scan with Spyhunter for Windows to automatically eliminate this ransomware.

Text presented in JCry ransomware's html file ("JCRY_Note.html"):

All Your Important Files have been Encrypted
1- Send 500$ worth of Bitcoin to this Address : 1FKWhzAeNhsZ2JQuWjWsEeryR6TqLkKFUt
2- Download Tor Browser and Open the following Link : Recovery Link
3- Enter the Address used in Payement
4- We'll check your Payement and upload your Decryption Key
5- Open the same link again (after a while) and enter your Unique ID to get your Decryption Key
Your Unique Key :

The appearance of JCry ransomware pop-up:

JCry pop-up

Text presented in this pop-up:

[#] Jerusalem is the capital of Palestine [#]

                  If you are reading this, all your important files have been encrypted,
                       read JCRY_NOTE.html in your Desktop for more information.

[X] Enter Your Decryption Key :

Screenshot of files encrypted by JCry (".jcry" extension):

Files encrypted by JCry

JCry ransomware removal:

Instant automatic removal of JCry virus: Manual threat removal might be a lengthy and complicated process that requires advanced computer skills. Spyhunter is a professional automatic malware removal tool that is recommended to get rid of JCry virus. Download it by clicking the button below:
▼ DOWNLOAD Spyhunter By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. Free scanner checks if your computer is infected. To remove malware, you have to purchase the full version of Spyhunter.

Quick menu:

Step 1

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Safe Mode with Networking

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup. Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings". Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Windows 8 Safe Mode with networking

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options". In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

windows 10 safe mode with networking

Video showing how to start Windows 10 in "Safe Mode with Networking":

Step 2

Log in to the account infected with the JCry virus. Start your Internet browser and download a legitimate anti-spyware program. Update the anti-spyware software and start a full system scan. Remove all entries detected.

If you cannot start your computer in Safe Mode with Networking, try performing a System Restore.

Video showing how to remove ransomware virus using "Safe Mode with Command Prompt" and "System Restore":

1. During your computer start process, press the F8 key on your keyboard multiple times until the Windows Advanced Options menu appears, and then select Safe Mode with Command Prompt from the list and press ENTER.

Boot your computer in Safe Mode with Command Prompt

2. When Command Prompt mode loads, enter the following line: cd restore and press ENTER.

system restore using command prompt type cd restore

3. Next, type this line: rstrui.exe and press ENTER.

system restore using command prompt rstrui.exe

4. In the opened window, click "Next".

restore system files and settings

5. Select one of the available Restore Points and click "Next" (this will restore your computer system to an earlier time and date, prior to the JCry ransomware virus infiltrating your PC).

select a restore point

6. In the opened window, click "Yes".

run system restore

7. After restoring your computer to a previous date, download and scan your PC with recommended malware removal software to eliminate any remaining JCry ransomware files.

To restore individual files encrypted by this ransomware, try using Windows Previous Versions feature. This method is only effective if the System Restore function was enabled on an infected operating system. Note that some variants of JCry are known to remove Shadow Volume Copies of the files, so this method may not work on all computers.

To restore a file, right-click over it, go into Properties, and select the Previous Versions tab. If the relevant file has a Restore Point, select it and click the "Restore" button.

Restoring files encrypted by CryptoDefense

If you cannot start your computer in Safe Mode with Networking (or with Command Prompt), boot your computer using a rescue disk. Some variants of ransomware disable Safe Mode making its removal complicated. For this step, you require access to another computer.

To regain control of the files encrypted by JCry, you can also try using a program called Shadow Explorer. More information on how to use this program is available here.

shadow explorer screenshot

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and EasySync CryptoMonitor, which artificially implant group policy objects into the registry to block rogue programs such as JCry ransomware.

Note that Windows 10 Fall Creators Update includes "Controlled Folder Access" feature that blocks ransomware attempts to encrypt your files. By default this feature automatically protects files stored in Documents, Pictures, Videos, Music, Favorites as well as Desktop folders.

Controll Folder Access

Windows 10 users should install this update to protect their data from ransomware attacks. Here�s more information on how to get this update and add additional protection layer from ransomware infections.

HitmanPro.Alert CryptoGuard - detects encryption of files and neutralises any attempts without need for user-intervention:

hitmanproalert ransomware prevention application

Malwarebytes Anti-Ransomware Beta uses advanced proactive technology that monitors ransomware activity and terminates it immediately - before reaching users' files:

malwarebytes anti-ransomware

  • The best way to avoid damage from ransomware infections is to maintain regular up-to-date backups. More information on online backup solutions and data recovery software Here.

Other tools known to remove JCry ransomware: