Jhash Ransomware

What is Jhash Ransomware?

Specialists at anti-spyware-101.com have come across a new HiddenTear-based ransomware infection Jhash Ransomware recently. It is a nasty threat that has been developed by cyber criminals to obtain money from users more easily, so it will not miss a chance to encrypt your files and demand a ransom if it ever manages to slither onto your computer. The chances are high that this infection has already infiltrated your computer if you find it impossible to open your pictures, documents, videos, and other valuable files in a bunch of different directories. The majority of crypto-threats encrypt users’ personal files, but you can be sure that Jhash Ransomware is the one you have encountered if those files you can no longer access have .locky, the filename extension, appended. What should be your next move? You must delete the ransomware infection from your computer right away after discovering this threat. Your files will stay as they are, i.e. encrypted, but you should still not send a cent to malicious software developers because you will just encourage them to release more threats by doing that.

Where does Jhash Ransomware come from?

Jhash Ransomware was not a popular infection at the time of writing, and the chances are high that it will never become one; however, it does not mean that it cannot show up on your computer. According to our experienced specialists, there is no doubt that this ransomware infection infiltrates users’ computers illegally; however, it is very likely that users’ actions are directly associated with its successful entrance. For example, users might allow this threat to enter their computers by simply opening a malicious attachment. Usually, they are spread in spam emails and might even pretend to be important documents, e.g. invoices. Therefore, you should not go anywhere near spam emails you receive. Also, you should not open attachments sent to you by people/companies you know nothing about. Keep in mind that it is not the only existing malware distribution method. Specialists say that users might download ransomware infections from hacked websites too, so you should download software from trustworthy pages only. If you are not sure whether you could ensure your system’s maximum protection alone, you should go to install security software on your PC after the Jhash Ransomware removal so that other harmful threat could not enter your computer successfully again.

What does Jhash Ransomware do?

Since we already know how Jhash Ransomware is distributed, let’s talk about activities it performs on compromised machines. Needless to say, the first activity it performs after the successful infiltration is the encryption of the victim’s personal files. It locks files in all directories that might contain valuable data, for example, %USERPROFILE%\Desktop, %USERPROFILE%\Documents, %USERPROFILE%\Downloads, %USERPROFILE%\Music, and %USERPROFILE%\Videos, to name only a few. All files get the .locky extension, so it is quite easy to say which of them have been encrypted. When files are completely locked, it checks whether READ_IT.txt.locky exists in %USERPROFILE%\Desktop. If yes, it deletes it and then drops Leeme_Nota_de_Rescate.txt, which is a ransom note. Just like other crypto-threats, it demands money. Users are told to send 10 dollars via PAYZA if they want to unlock their files. The size of the ransom is really small if compared to the amount of money other ransomware infections ask, but you should still not forget that you have no guarantees that you could unlock your files after making a payment.

Jhash Ransomware not only encrypts files and drops the ransom note. It might also set ransom.jog as a new background image. Also, research has shown that it uses the Internet connection to send details about the victim to its C&C server. Since it communicates with its server, it might get updates and then perform even more malicious activities on your computer. Also, you might launch it accidentally again and get all new files locked, so you should disable this infection right away.

How to delete Jhash Ransomware

Even though the ransomware infection deletes itself once executed, it copies itself to %HOMEDRIVE%\[User]\Rand123\local.exe, so you will need to remove it to disable it. Luckily, it is not one of those sophisticated threats, so you should not find its removal a very challenging task. If you do not know much about the removal of malicious software, use our removal guide. You can delete malware from your PC automatically as well, but do not expect it to unlock those encrypted files for you.

Delete Jhash Ransomwarez

1. Press Ctrl+Shift+Esc and open Processes.
2. Kill all suspicious processes.
3. Close Task Manager and open Explorer (tap Win+E).
4. Go to %HOMEDRIVE%.
5. Go to [User].
6. Delete the Rand123 folder.
7. Delete ransom.jpg from the [User] folder.
8. Go to %USERPROFILE%\Desktop and delete the ransom note Leeme_Nota_de_Rescate.txt.
9. Empty Recycle bin.
10. Scan your computer with an antimalware tool to make sure you have not left any malicious components. Download Removal Tool100% FREE spyware scan and
    tested removal of Jhash Ransomware*

Stop these Jhash Ransomware Processes: