JoeGo Virus - How to remove

JoeGo is crypto ransomware. It encrypts your files (making them useless) and asks for money in exchange for fixing them. The virus affects Windows systems.

There is a way to try to manually restore the lost files (a guide below this article), and a few ideas about how viruses like JoeGo are distributed, and what are some ways to protect your system against malware infections.

How to recognise a JoeGo infection?

A lot of files become unopenable, their file type being “.LOCKED”. A ransom note named “precist.html” and written in Czech is left for the victim of JoeGo to read.

Here is a translation:

Your files have been encrypted!

Time left
95:53:03

What happened to my files?
Your documents, photos, music, movies and many other files have been encrypted. By clicking the ”Show Encrypted List” button, you can view the files that I encrypted for you. These files can only be restored if you follow the procedure below.
[Show Encrypted List]

How do I recover my files?
Your data has been encrypted with a unique key using the powerful AES encryption algorithm. This unique key was encrypted with a public key using the RSA algorithm and then stored on your computer. You will need a private key to decrypt your files. This private key is stored on our server. I will give you the private key after paying the financial fee. You have 96 hours of data encryption to pay the fee. If you fail to pay the fee, the private key on the server will be deleted. Then no one can decrypt your data, you’ll lose it permanently.

How do i proceed?
Your unique ID is 332845.
Transfer the amount of 0.05 BTC using the payment gateway specified below.
Then just wait a while, decryption of your files will happen automatically after receiving the required amount.
[Go to payment gateway.]

Is JoeGo dangerous?

Many valuable files are encrypted by the JoeGo ransomware: documents, spreadsheets, other Office files, media files (audio, video, and pictures), archives, PDFs, even basic text files.

Unfortunately, the cybercriminals are right about the encryption being practically unbreakable. The private key that is stored on the crooks’ server is needed to decrypt the key which was used to encrypt your files. Only 4 days — 96 hours — are given to the victim to transfer the money, after which the creators of JoeGo threaten that they will delete the private key.

A cryptocurrency — Bitcoin — is used, likely because it is anonymous and the transactions are irreversible. Meaning you will not get your money back, even if the files are not restored. The price currently being around $250.

How does it spread?

• Infected email attachments and links: PDF and Office files can be infected with macro viruses; links can be pointing to a direct download of a malicious program. Be careful before opening an email that you did not expect from senders who you do not know.
• Hacked remote access software: this can allow outsiders to make changes in your computer, such as installing ransomware like JoeGo, so make sure your Remote Desktop and other remote access applications use usernames and passwords that are complex and unique.
• Downloaded with pirated files and software cracks — scan files before running them, ransomware and crypto miners are sometimes distributed through filesharing.
• With malicious advertisements, scareware, Trojans, fake updaters and installers that trick the user into installing a computer virus themselves. People are made to believe that they’re installing a necessary update or a useful application. Make sure to research a program before installing it.

The JoeGo ransom note being in Czech implies that the cybercriminals are targeting that country specifically, maybe that the developers of the virus are from the Czech Republic. But Czech residents are not the only ones who can get infected.

How to remove the JoeGo Virus

To remove the JoeGo virus scan your machine with a reputable antivirus program (we usually recommend Spyhunter and malwarebytes) and either remove the malware automatically or manually.

If you cannot access some websites, it is worth checking your hosts file for malicious entries. Some viruses modify that file to control which websites you access.

Regularly update your operating system and your antivirus program. JoeGo was first seen on April 9, only a few days before writing this article. Antivirus program vendors try to stay on top of all the newest security threats, but you need to install the updates to benefit from them.

Another important tip to protect yourself against ransomware is to keep a backup of your most important files. A JoeGo infection will not be so devastating if you have recent copies of your files. Some ransomware viruses actually try to delete your backups, so it’s a good idea to have it stored somewhere separate, like an external drive or the cloud.

Automatic Malware removal tools

How to recover JoeGo Virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before JoeGo Virus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of JoeGo Virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to JoeGo Virus. You can check other tools here.  

Step 3. Restore JoeGo Virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually JoeGo Virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover JoeGo Virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.