Ransowmare virus going by the name JackPot has been reported to slither undetected in user systems and encrypt their files using an encryption algorithm module after which change the wallpaper of the encrypted systems with a brief notification to pay 3.0 BTC which is approximately 800 US dollars. Researchers feel convinced that the virus is not very widespread but the bad news is that at it’s start it is undetected by any antivirus which means it may use good quality obfuscation tools. The victims are asked to make the ransom payoff in BitCoin and focus on immediately removing this seemingly low-quality virus from their computers and look for alternative methods to restore the encrypted files.
SensorsTechForum is actively investigating this cyber-threat and will soon update this article with more information.
|Short Description||JackPot encrypts the files after infection and may modify the Windows Registry editor to change the wallpaper and notify the vicitm to pay 3.0 BTC ransom to get the encrypted files back.|
|Symptoms||The user may witness ransom notes and “instructions” which are set as wallpaper or text files on his computer. Widely used file types also become innaccessible and seem corrupted.|
|Detection Tool|| See If Your System Has Been Affected by JackPot |
Malware Removal Tool
|User Experience||Join our forum to Discuss JackPot Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
JackPot Ransomware – How Is It Being Redistributed
In order for JackPot Ransomware to successfully cause an infection it has to be spammed properly. This is why, its developers may have undertaken massive spam e-mail campaigns in order to infect as many users as their abilities allow them to. The e-mail messages that are being sent by the cyber-crooks may resemble legitimate programs and services that could in fact be containing either malicious URLs that lead to websites or malicious e-mail attachments which only seem to be legitimate files, however do not even come close to such. Here is an example of a fake LinkedIn phishing e-mail that contains a malicious URL disguised as a button:
JackPot Ransomware – More Information
When unsuspecting users “hit the JackPot”, they often become clueless as to what happens behind the scenes. As soon as the infection is done, the JackPot ransomware may create different types of files that may exist under different names and be located in the usually targeted Windows folders:
After the files are situated, JackPot ransomware may either drop malicious files in the %Startup% directory or create custom registry entries in the Windows Registry Editor. Commonly targeted registry keys are the following:
The JackPot ransomware may also engage in other activities such as delete the shadow volume copies by executing the vssadmin command in privileged Windows mode:
After having deleted all the bakcups, JackPot may employ encryption on the targeted files while remaining undetected. The virus may have been configured to encrypt several files partially or encipher all of the files at the same time besides crucial files for the functioning of Windows. The primary files that have the actual impact in terms of value for the user are:
- Audio files.
- Database files.
- Adobe Reader PDF documents.
- Microsoft Office documents.
The encrypted files seem to be corrupted and can no longer be opened. A brief ransom note is left behind that aims to notify victims to pay the ransom:
Conclusion and Removal of JackPot Ransomware
JackPot ransomware is a virus that has made malware researchers to believe it is not a high quality ransomware and it’s infections are not expected to be massive in number. If you have been infected by this virus, however, researchers strongly recommend that you focus on removing it yourself and attempt to restore your files using the instructions we have suggested below.