Jhash Ransomware

The Jhash Ransomware is one of the many variants of HiddenTear that exist today. HiddenTear is an open source encryption ransomware Trojan first observed in August 2015. The Jhash Ransomware, released on November 8, 2017, is just one of many ransomware Trojans that are based on this freely available ransomware engine. The Jhash Ransomware's victims seem to be located in Venezuela, mainly. In the case of the Jhash Ransomware, it seems that it is being delivered to victims through corrupted documents, which include macro scripts that download and install the Jhash Ransomware onto the victim's computer. These will often be delivered to the victim's computer through phishing email messages.

The Well-Known Attack Executed by the Jhash Ransomware

There is very little about the Jhash Ransomware that is different from most ransomware Trojans. The Jhash Ransomware will encrypt the user-generated files on the victim's computer to take them hostage. The Jhash Ransomware will mark the files it encrypts by adding the file extension '.locky' to the affected files' names. The Jhash Ransomware takes the victim's files hostage to demand a ransom payment to release the decryption key. Samples of the file types that may be targeted by the Jhash Ransomware Trojan in its attack include:

.3dm, .3g2, .3gp, .7zip, .aaf, .accdb, .aep, .aepx, .aet, .ai, .aif, .as, .as3, .asf, .asp, .asx, .avi, .bmp, .c, .class, .cpp, .cs, .csv, .dat, .db, .dbf, .doc, .docb, .docm, .docx, .dot, .dotm, .dotx, .dwg, .dxf, .efx, .eps, .fla, .flv, .gif, .h, .idml, .iff, .indb, .indd, .indl, .indt, .inx, .jar, .java, .jpeg, .jpg, .js, .m3u, .m3u8, .m4u, .max, .mdb, .mid, .mkv, .mov, .mp3, .mp4, .mpa, .mpeg, .mpg, .msg, .pdb, .pdf, .php, .plb, .pmd, .png, .pot, .potm, .potx, .ppam, .ppj, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prel, .prproj, .ps, .psd, .py, .ra, .rar, .raw, .rb, .rtf, .sdf, .sdf, .ses, .sldm, .sldx, .sql, .svg, .swf, .tif, .txt, .vcf, .vob, .wav, .wma, .wmv, .wpd, .wps, .xla, .xlam, .xll, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xqx, .xqx, .zip.

Although the '.locky" file extension was first observed in the infamous Locky Ransomware, this file extension has been used by numerous other ransomware Trojans to mark the affected files, and does not indicate any relationship between Locky and the Jhash Ransomware.

How Cybercrooks may Profit from a Jhash Ransomware Attack

Unfortunately, the Jhash Ransomware uses a combination of the AES and RSA encryptions, which means that the files encrypted by the Jhash Ransomware attack are nearly impossible to recover without the decryption key. The Jhash Ransomware delivers its ransom note in a text file named 'Leeme.txt' (Spanish for 'Readme.txt'), which is dropped on the infected computer. The following is the text of the Jhash Ransomware's ransom note, translated into English:

'This computer has been hacked,
Your personal information has been encrypted, you send us $ 10 through PAYZA to the following payment address: jhash.bancaenlinea@zoho.com, and you will send a screenshot of the transaction to the same email. After that, we will send you a guide to recover your precious files. One wrong step and you will lose all your files, do not make mistakes.'

The victim's Desktop image will be changed to display the following text:

'You should not be scared ... But we have blocked all your files so that they are unusable.
If you want to unlock them ... Open the File Readme.txt that is on your desktop. And carefully follow the instructions.
One wrong step and there will be irreparable damage.'

Dealing with the Jhash Ransomware Infection

Computer users must refrain from following the instructions in the Jhash Ransomware ransom note. Instead, they should restore the files affected by the Jhash Ransomware attack by using file backups. Having file backups on external devices is the only guaranteed way to make sure that your data will not be lost after a threat attack like the Jhash Ransomware.

SpyHunter Detects & Remove Jhash Ransomware