Jhash virus - How to remove

Jhash ransomware virus – a new product based on Hidden Tear open source ransomware project. Last week we have announced Foxy Ransomware virus, which was also a result of developing Hidden Tear technologies. All those viruses share similar traits – they are infecting computers and employing strong cryptography to encrypt files stored on a hard drive. Right after that users are asked to pay a ransom in order to receive a special key which would allow to decrypt files.

In this particular case, Jhash is using AES cryptography, the same as Relock ransomware, which was also discovered last week. Once malicious files of Jhash is inside of the system, the encryption process will take place immediately. All files will be encrypted within several minutes and extension .locky will be appended to the end of every single one of them. Even though clear associations is unknown, extension ‘.locky’ is also used by notorious Locky virus which was spread with 23 million emails back in August.

Reportedly discovered this week by MalwareHunterTeam, Jhash virus is extremely dangerous and can cause detrimental damage to your files and system. If your computer is infected, after successful encryption you will notice that the image of your desktop is changed and there is a new file called ‘Leeme_Nota_de_Rescate.txt’. This file is a ransom note – information about the virus and instructions how to pay the ransom and decrypt files. Original text of the note:

Esta computadora ha sido hackeada
Tu informacion personal ha sido encriptada. Envianos 10 dólares por medio de PAYZA a la siguiente dirección de pago: [email protected] , y al mismo correo enviaras un capture de la transacción.
Después de eso, te enviaremos los pasos a seguir para recuperar tus preciados archivos.
Un paso en falso y perderás todos tus archivos, no te equivoques, Jhash

Since the message is written in Spanish, Jhash virus is probably targeted to Spanish speaking countries or was developed by Spanish. Either way, users are asked to pay $10 in order to unlock encrypted files. Once the computer is infected, Jhash automatically creates unique identification key and assigns decryption key, which is also unique. Decryption key is needed in order to decrypt files and it is stored on a remote server owned by cyber criminals. You are promised to receive your key after successful payment.

The most odd feature of this ransomware is actually the size of the ransom. Usually victims of ransomware viruses are charged something between $200-$2000, while Jhash only requests $10. Moreover, they prefer payment to be made via Payza, while most of the time cyber criminals demand ransom to be paid in Bitcoins and Bitcoins only. That means people behind this virus are either amateurs or new in the business.

Decrypting files locked by Jhash

Even though there are no official decryptors for Jhash ransomware yet, extension .locky used by the Locky virus was available for decryption using free decryptor developed by Emsisoft. You can try your luck and attempt to decrypt files using this tool. If this doesn’t work, you can switch to plan B – try to restore your files from a backup. However, there is a special condition – you have to have a valid copy of your hard drive that was made before the date of infection. If you do, take a look at our system restore guide and try to work things out this way. You can also use dedicated files recovery software from various third parties.

Finally, if none of the solutions above are effective in your situation, you can try to contact cyber criminals and pay the ransom, because the amount of it is relatively low. However, it should be used only as a last hope solution. Cyber criminals tend to ignore victims after the ransom is paid, so you can’t be sure that this will unlock your files.

In addition to that, if you somehow manage to unlock files, malicious attributes of Jhash virus stored in your computer must go as well. It can be difficult to track them down, so we recommend to use a professional anti-malware software for this job. Applications like Spyhunter should have no problems with detecting and removing all assets associated to Jhash. You can use other anti-virus tools of your choice as well. By the way, if you have any questions regarding this malware – you are more than welcome to ask them in the comments section below.

How to recover Jhash virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Jhash virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Jhash virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Jhash virus. You can check other tools here.  

Step 3. Restore Jhash virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Jhash virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Jhash virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.