Jhash Ransomware

Posted: November 10, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	4,356
Threat Level:	1/10
Infected PCs:	4,024

First Seen:	March 27, 2019
Last Seen:	October 17, 2023
OS(es) Affected:	Windows

The Jhash Ransomware is a Trojan that can block your files by converting them to encrypted equivalents that require decoding with the help of the threat actor's decryption key. Symptoms also seen during a Jhash Ransomware infection include changes to your wallpaper and the presence of text notes that provide details on paying the cybercrook for the above assistance. Malware experts recommend using other decryption solutions that are consistent with the Hidden Tear family of threats, in addition to uninstalling the Jhash Ransomware with anti-malware equipment.

When Judging Infections by Their Symptoms Provides Bad Intelligence

Many Trojans are quick to give away their identities by not bothering to obfuscate their code or the attacks their payloads deliver, but an equal amount of them also specialize in misinforming their victims. Modern examples of new, file-locking Trojans with mismatching symptoms and code include the Jhash Ransomware, a South American threat. Malware experts last saw this Trojan extorting money from PC users in Venezuela and delivering messages meant for Spanish-based targets.

The Jhash Ransomware is a variant of Hidden Tear, a project developed by the Turkish researcher Utku Sen for demonstrating harmful, file-encrypting attacks without any intention of deploying them. Like most versions of Hidden Tear, the Jhash Ransomware uses AES enciphering attacks to lock different formats of files on an infected PC automatically, including text documents, spreadsheets, slideshows, pictures and archives. The Jhash Ransomware's authors also include a deliberately misleading symptom: appending the '.locky' extension to this locked media, which, usually, signifies an attack from the '.locky File Extension' Ransomware.

Malware researchers observe different versions of the Jhash Ransomware dropping different, text-based ransom notes for the victim, all of which ask for ransoms of ten USD via the Payza online payment service. It makes all communications in Spanish solely and has yet to be seen targeting victims outside of South American regions. The Jhash Ransomware also downloads an Imgur-hosted image with another warning message that it uses for hijacking the desktop; the fact that the Trojan doesn't bundle it internally may offer its threat actor the possibility of swapping the picture dynamically.

Hashing out a Safe Route around a File-Locking Campaign

Its lack of a sophisticated, payment-processing infrastructure and a low price for unlocking the user's files are two particularly stark flags marking the Jhash Ransomware's campaign as being for recreational PC owners primarily, rather than government or corporate systems. Infection methods malware experts often see in use for distributing file-locking Trojans like the Jhash Ransomware include:

Torrents and other, piracy-related download sources may deliver installers for the Jhash Ransomware that pretend to be movies, video games, music, or other, illegal media.
Spammed e-mail messages may include links or attachments for exploits that install the Jhash Ransomware, often via a document or browser-based script.
Some threat actors also prefer attacking individual systems directly by compromising their network login combinations, with short, simple passwords being especially at risk from these brute-force attacks.

The Jhash Ransomware's symptoms also go some way towards misdirecting the victim towards inappropriate data-unlocking solutions. Only use decryption software compatible with Hidden Tear for restoring the files that the Jhash Ransomware damages, and always keep spare copies of your media to prevent the infliction of any harm that's irreversible. At current rates, four out of every six brands of anti-malware products should eliminate the Jhash Ransomware automatically and before it can damage any files.

Venezuela isn't the most expected target for the campaign of any file-locking threat, but national borders don't provide perfect safety from threatening software. For an open-source style Trojan like the Jhash Ransomware, where you live is much less relevant than whether or not you have backups.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SYSTEMDRIVE%\Users\<username>\desktop\usosetup.exe

File name: usosetup.exe
Size: 11.61 MB (11613032 bytes)
MD5: 890682fe942ba4e2e37e7e4068d6bc6a
Detection count: 1,925
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\desktop
Group: Malware file
Last Updated: October 17, 2023