What is jCandy ransomware? And how does it implement its attack?
jCandy ransomware a new crypto-malware designed to encrypt important files in the targeted computer and extorts victims to pay a ransom to get them back. jCandy is a new variant of the open source platform, Hidden Tear, which is known to have spawned countless numbers of ransomware infections since 2015. And since jCandy ransomware is a Hidden Tear variant, it seeks to encrypt the files with the following file formats:
.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp
The encryption algorithm it uses during the encryption is undoubtedly AES since its based on Hidden Tear. However, security experts determined that jCandy uses a combination of AES and RSA ciphers which means that its encryption algorithm is strong that would make it hard for its victims to recover the encrypted files using the alternative way to recover them which is through their shadow volume copies. After the encryption jCandy ransomware drops a text file named JCANDY_INSTRUCTIONS.txt which contains the ransom note. It also opens a program window labeled as jCandy. Both the ransom note and the program window contain the same message that reads as follows:
“jCandy
YOUR FILES HAVE BEEN LOCKED!
We have encrypted ALL your important files!
We have NOT deleted ANY files. Your files have been LOCKED!
lf you would like access to your files you will need to purchase $200 USD worth of BITCOIN
and have it sent to this bitcoin address below.
After the payment is received your files will be decrypted and this program will delete itself.
You have 48 hours to send the payment and have your files unlocked-
If you fail to do so. your files will be DELETED
~ Kind Regards, jCandy”
No matter how impossible it seems to recover the encrypted files, you should not consider paying the ransom as you will end up losing your money, not to mention that it would only motivate cyber crooks to create more ransomware infection. Bear in mind that cyber crooks can’t be trusted and they are not really known to keep their promises. The best thing to do for now is to use whatever backup copies you have of the encrypted files until a free decryptor is developed.
How is jCandy ransomware disseminated?
jCandy ransomware spreads using various methods – one of which is through spam emails. In a spam email, cyber criminals attach a corrupted file such as macro-enabled document or an executable file which is responsible for installing jCandy into the targeted computer. They often disguise the email as something sent by well-known company or group to trick users into downloading and opening the attachment. Aside from that, jCandy also spreads in fake software updates, file bundles that contains a concealed malicious software and rogue downloads.
Here are a couple of steps you must try to eliminate JCandy ransomware from your PC.
Step 1: Close jCandy’s program window.
Step 2: End the ransomware’s process by going to the Task Manager – tap Ctrl + Shift + Esc to do so.
Step 3: Under the Task Manager, go to the Processes tab and look for JCandy’s process and right click on it and select End Process or End Task.
Step 4: Close the Task Manager and open Control Panel by tapping the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 5: Locate JCandy ransomware among the list of Installed programs and then uninstall it.
Step 6: Close Control Panel and tap Win + E keys to open File Explorer.
Step 7: Navigate to the following locations below and look for JCandy ransomware’s malicious components such as JCANDY_INSTRUCTIONS.txt and other suspicious files and then delete all of them.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 8: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Step 11: Delete the registry keys and sub-keys created by JCandy ransomware.
Step 12: Close the Registry Editor.
Step 13: Empty your Recycle Bin.
The steps given above aren’t enough to ensure the removal of JCandy ransomware so you’ll have to go over the advanced steps below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOSscreen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Optionuse the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Boxwill show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.