Jhash Ransomware Removal Guide

Threat Level:
Rate this Article:
Comments (0)
Article Views: 444
Category: Trojans

The HiddenTear source code is used to create new ransomware infections quite often, specialists say. The newest threat it can be found in is Jhash Ransomware. It is a newly-detected infection, so it does not have many victims yet, but, of course, this might change soon, so you must be cautious. Since it belongs to the group of HiddenTear-based malware, our specialists did not need to carry out an in-depth analysis to find out how it is usually spread. Just like similar threats, it is spread via spam emails, they say. At first glance, there is nothing malicious about the launcher of this ransomware infection. In some cases, it is even disguised as an invoice or another document in order to trick users into opening it themselves. When the malicious attachment is opened and Jhash Ransomware is executed, it deletes itself, but it does not mean that you will not need to erase it from your computer because it copies itself to %HOMEDRIVE%\[user]\Rand123\local.exe. Then, it checks if the compromised machine is connected to the Internet, and if yes, it sends details that could identify the victim to its C&C server (https://app-1509153828.000webhostapp.com/write.php?computer_name={Victim Computer name}&userName={User name}&password={Private encryption key}&allow=ransom). If you are one of the unfortunate users who have become victims of Jhash Ransomware, disable the ransomware infection immediately so that it could not encrypt your new files. No, it cannot launch automatically on startup because it does not create the so-called point of execution (PoE), but you might launch it again yourself incidentally. Sadly, files Jhash Ransomware has locked on your computer after the successful entrance will not be unlocked automatically for you when you delete this malicious application.

Jhash Ransomware encrypts users’ personal files right away after it infiltrates their computers. It affects files with .txt, .html, .apk, .pdf, .dll, .c, .mpeg, .mp3, .core, .ico, .pas, .db, .torrent, .cab, .wmv, .py, .sql, and other extensions located in %USERPROFILE%\Desktop, %USERPROFILE%\Links, %USERPROFILE%\Contacts, %USERPROFILE%\Documents, %USERPROFILE%\Downloads, %USERPROFILE%\Pictures, %USERPROFILE%\Music, %USERPROFILE%\OneDrive, %USERPROFILE%\Saved Games, %USERPROFILE%\Favorites, %USERPROFILE%\Searches, and %USERPROFILE%\Videos. As can be seen, it targets directories that usually contain valuable files. Sadly, it means that your files have already been encrypted if they have the .locky extension appended. The ransomware infection also drops the ransom note Leeme_Nota_de_Rescate.txt on Desktop once it locks users’ files. The ransom note informs users what they need to do to get their files back. Unfortunately, it seems that there is only one day to decrypt them. You need to send 10 USD via PAYZA – the online payment platform – to crooks behind the ransomware infection you have encountered. The size of the ransom Jhash Ransomware asks is relatively small, but you should think twice before sending your money to cyber criminals because you might not get anything from them. Unfortunately, there is only one way to get files back for free – users who have a backup of their files can restore them from it. Do not forget to remove the ransomware infection from your computer first.

Encrypting files and dropping the ransom note on users’ screens are only two of several activities Jhash Ransomware performs on victims’ computers. Research has shown that this infection also checks if the computer is connected to the Internet, sends certain information about victims to its C&C server, can download the image from https://imgur.com/nPcEpO8.png and set it as a new Wallpaper, and, finally, it checks if READ_IT.txt.locky exists in %USERPROFILE%\Desktop. If the file is found there, it deletes it. Luckily, from the technical standpoint, it is not a very sophisticated malicious application. In consequence, it should not be very hard to delete it. The last paragraph of this article contains more information about the Jhash Ransomware removal.

You need to remove Jhash Ransomware from your system so that this threat could not cause more problems for you. It does not drop a bunch of files, and you will not find any new registry keys created in the system registry after its infiltration, so the removal of this ransomware infection should not be very complicated. Of course, you should still follow our instructions step by step because you might leave Jhash Ransomware active on your computer if you do not remove all its components. Of course, you can erase it quicker and easier with an automated malware remover too. No matter which one of these two removal methods you adopt, your files will stay encrypted.

How to remove Jhash Ransomware

  1. Press Win+E on your keyboard.
  2. Open %HOMEDRIVE% (type %HOMEDRIVE% in the Explorer’s URL bar and press Enter to open it).
  3. Access the [user] folder.
  4. Locate the Rand123 folder and delete it.
  5. Remove ransom.jpg from %HOMEDRIVE%\[user].
  6. Delete Leeme_Nota_de_Rescate.txt from %USERPROFILE%\Desktop.
  7. Empty Recycle bin.
Download Remover for Jhash Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

Jhash Ransomware Screenshots:

Jhash Ransomware
Jhash Ransomware
Jhash Ransomware

Jhash Ransomware technical info for manual removal:

Files Modified/Created on the system:

# File Name File Size (Bytes) File Hash
17921e985c72a5876b69476d1af67d637c5ad8a904af33635188cc307dcaf52c7.exe219136 bytesMD5: 4391101a41f5c9ffbaeb01d42fa4d6e5

Memory Processes Created:

# Process Name Process Filename Main module size
17921e985c72a5876b69476d1af67d637c5ad8a904af33635188cc307dcaf52c7.exe7921e985c72a5876b69476d1af67d637c5ad8a904af33635188cc307dcaf52c7.exe219136 bytes

Comments are closed.