JCandy Ransomware
Posted: November 14, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 2 |
| First Seen: | April 20, 2021 |
|---|---|
| OS(es) Affected: | Windows |
The JCandy Ransomware is a Trojan that can block your files and display pop-ups asking you to pay for an unlocking solution. Threats using cryptography in their payloads suffer significant limitations with any victims who have previous backups, especially ones in secure locations that the Trojan can't encrypt or delete. Your anti-malware products should identify and remove the JCandy Ransomware as a threat to both your PC's security and your media.
The Computer Misdeed with a Candy Coating
A rare file-locking Trojan that's not an immediate derivative of families like the CryptMix Ransomware or EDA2 is just being caught by malware researchers and other security industry analysts, as of mid-November. The Trojan, the JCandy Ransomware, employs advanced GUI pop-ups for communicating with its victims while also locking their files via encryption. Although the JCandy Ransomware asks for an upfront price of 200 USD value, it's not yet verifiable whether or not paying the ransom gives the user access to a real, file-unlocking service.
The JCandy Ransomware is a Windows-only Trojan that, in some cases, circulates in compressed archives that obfuscate the corrupted executable. After the user installs it, the JCandy Ransomware loads a background process that searches the PC's folders for documents, pictures, and other formats of media for encrypting. Malware experts estimate that the JCandy Ransomware is using an AES-based cipher, although further investigation is needed to determine whether or not third-party software could reverse the encoding attack. As usual, all files that the JCandy Ransomware encrypts will not open in related programs, which provide the Trojan's threat actor with a bargaining position for demanding a ransom.
The second, significant function that the JCandy Ransomware carries out is launching a pop-up window using an advanced HTML format, which allows the UI to include buttons and interactive text fields. This window carries the threat actor's demand for 200 USD in Bitcoins and a fake Bitcoin-purchasing button that, instead, redirects the users to an image-hosting service recommending that they 'Google it.' As noted previously, malware experts have yet to corroborate any bundled decryption or payment-verifying features in the Trojan that would allow the victims to restore their files after paying theoretically.
Teaching Your Computer to Digest Healthier Things than Trojans
For the time being, malware researchers have yet to determine infection strategies that might circulate or install the JCandy Ransomware onto new PCs, and only can estimate that its ransom-collecting strategies are most appropriate for recreational or casual users, instead of corporate networks. The JCandy Ransomware's author also appears to be testing the obfuscation of this Trojan's code against common AV solutions, with multiple, undisguised samples arriving in centralized threat databases within a short time. Updating your anti-malware solutions when appropriate can help them keep abreast of newly-developed threats like the JCandy Ransomware.
Installation tactics for file-locking threats often, but not exclusively, use e-mail attachments to gain a foothold on a vulnerable PC. Since a successful infection can damage your files with encryption that may be irreversible, keeping backups of any essential work on another device is heavily recommended as a precaution. Updated anti-malware software should eliminate the JCandy Ransomware immediately and before it starts to lock any files.
The JCandy Ransomware is the newest but hardly unique example of a Trojan attacking the data of Windows users to make cryptocurrency off of their work. Working 'smart,' rather than 'hard,' pays off for con artists just as well as for a legal employee, which makes standard security procedures, anti-malware protection, and backup scheduling into necessities for anyone with a PC.