This article should be able to help you remove J-Ransomware virus (J-Ransomware.exe) and show how to try and restore .LoveYou encrypted files without paying the ransom.
A new ransomware infection utilizing the AES encryption algorithm has been detected, malware researchers say. The virus is dubbed J-Ransomware, because of the malicious executable used by it. The ransomware also adds the .LoveYou file suffix to the files encrypted by it and the files themselves become no longer able to be opened. Once the .LoveYou file virus has already infected a computer, it drops a ransom note, named ReadMe.txt. It aims to convince victims into paying a hefty ransom fee to get the files decrypted back to their working state again. If your computer has been infected by the .LoveYou file virus, we advise you to read this article thoroughly.
Threat Summary
| Name | .LoveYou File Virus | |
| Type | Ransomware | |
| Short Description | Encrypts the files on the computers infected by it demanding a ransom payoff to be made to get them back. | |
| Symptoms | Files are encrypted with the .LoveYou file extension added as their suffix and a ransom note, named ReadMe.txt is dropped on the victim PC. | |
| Distribution Method | Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner. | |
| Detection Tool | See If Your System Has Been Affected by .LoveYou File Virus Download Malware Removal Tool | |
| User Experience | Join our forum to Discuss .LoveYou File Virus. | |
| Data Recovery Tool | Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive. |
How Did I Get Infected With .LoveYou File Virus
The infection process of the .LoveYou ransomware virus may only appear to be very simple, but it actually includes multiple different types of software that may be used to slither the malicious files of the virus onto your computer without you noticing it:
- Malware obfuscators to conceal the malicious files from any average AntiVirus software.
- Web-injectors that can infect your computer automatically after you have clicked on a malicious web link.
- Fake system updates which only pretend to patch yoru PC, while in fact, they are downloading the payload files off .LoveYou file virus.
- Fake setups that pretend to be the free program that you have been searching for to download and install for free online.
- Documents that contain malicious macros and infect your computer after you click on the “ Enable Content” button. Such are usually spread as fake invoices, receipts and other types of seemingly legitimate documents added as e-mail attachments in spam mails.
Once you open the malicious objects, the J-Ransomware virus immediately establishes a connection to the following host:
→ hxxp://jackspam(dot)esy(dot)es/public_html/ransomware.php
After connecting there, the virus immediately downloads it’s payload file, named J-Ransomware.exe, as reported in VirusTotal:
.LoveYou J-Ransomware – Malicious Activity
Once the ransomware virus has infected a targeted computer system, it may immediately insert various different types of functions in Windows. Some of them may interfere with Windows system processes to gain the virus Read and Write (administrative) privileges. Once there, the .LoveYou file virus may perform a set of activities.
One of those activities .LoveYou file virus may be involved with is the creation of registry entries in the following Windows Registry Editor sub-keys:
→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
After this has completed, the .LoveYou file virus may also delete the backups and shadow volume copies on your computer. This is achieved by executing multiple different commands in Windows Command Prompt:
→ vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set boostatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
After this has been done, the malware may also force restart the computer so that it can begin the encryption procedure.
J-Ransomware – Encryption Process
The files that are targeted for encryption by this ransomware infection may be of the following types:
→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com
As soon as the .LoveYou file virus detects that some of the file types It has been pre-configured to encrypt are present, the ransomware infection immediately attacks those files and alters their structure with the aid of the AES encryption algorithm. After the encryption process has completed, the .LoveYou file virus adds it’s distinctive file extension to the encrypted files, making them look like the following:
Remove J-Ransomware and Restore .LoveYou Encrypted Files
For the removal process of this ransomware infection, malware researchers recommend to backup your files, just in case, despite them being encyrpted. Then, it is strongly advisable to follow the removal instructions below. They are specifically designed to help you get rid of .LoveYou ransomware either manually or automatically. Since this ransomware virus may create various different files that may tamper with key Windows processes, manual removal may be a risky process. Security experts often advise to use an advanced anti-malware tool that is ransomware-oriented in order to perform the removal automatically and protect your system in the future.
If you are interested in restoring your files in the event that they are encrypted by this virus, recommendations are to try the alternative methods for file recovery in step “2. Restore files encrypted by .LoveYou file virus” below. They are in no way 100% guarantee to recover all your files, but with their aid, you may restore at least some of the data.
