You just turned on your computer, but something looks amiss. Why is it that you can’t seem to open your files? Every time you try to do so, a dialog box pops up asking you to specify a program to use to access the file.
If this is happening to you, you may have been a victim of JSWorm 2.0, a type of ransomware with victims in multiple countries that’s spreading using an unknown distribution method. You’ll know that you’re a victim for sure if you look at your files and see that their names have .JSWORM or .JURASIK at the end.
If you see these extensions to your file names, don’t start deleting files. You may be considering paying the ransom to get your files decrypted, but it’s possible to get your files back for free.
Read on to learn how to recover all of your data without having to send money to hackers.
What Is JSWorm 2.0?
JSWorm 2.0 is the new version of a similar ransomware program known as JSWorm. Due to the similarities between the two variants, it is expected that both were created by the same party. They were both written in C++ and both use the Blowfish algorithm to encrypt files on infected computers.
JSWorm 2.0 encrypts the files on a victim’s computer, rendering them unusable. It leaves a ransom note file on the computer with instructions on how to recover the files. JSWorm operates in a similar manner.
Most ransomware attacks work in a similar fashion, though their internal programming is usually different. That being said, JSWorm 2.0 is thought to be the continuation of the JSWorm campaign when they were analyzed by experts after multiple victims submitted their affected files to ID-Ransomware.
Finally, the most obvious reason that JSWorm 2.0 is thought to be the successor to JSWorm is the naming convention of the files they lock. Both use the second file extension .JSWORM, though JSWorm 2.0 also uses the .JURASIK extension.
Currently, the number of victims is fairly low, but these victims are spread across the globe so it’s difficult to tell if the ransomware attacks are limited to a specific network or location.
For now, it’s likely best to assume that everyone is a potential victim.
How Do You Know You’ve Been Affected by JSWorm 2.0?
Before you start following the instructions on how to decrypt your files affected by JSWorm 2.0, you’ll need to confirm that it is, in fact, JSWorm 2.0 that has encrypted your files and not another ransomware or virus.
First Sign: File Extensions
The most obvious sign is the file names. JSWorm 2.0 affects different kinds of files. Any affected file will have its full filename end with the extension .JSWORM or .JURASIK.
The full file name will look something like this:
<FileName>.<extension>. [ID-<numbers>][<email>]. JURASIK
Here, anything in the brackets <> may be different, but the file extension will be the same.
Second Sign: The Ransom Note
Since JSWorm 2.0 is ransomware and the hackers responsible for getting it on your computer want to notify you about how to retrieve your data, they will leave a ransom note of sorts to let you know what happened to your files and how can you get your data back.
JSWorm 2.0 is no exception and comes with its own standard ransom note that has the following text:
JSWorm 2.0 Ransom note: Notice the personal ID and the key value.
Here, note the JSWorm Public Key located at the bottom of the ransom note. This key is what allows for unique encryption among all the victims. Even if two victims have an identical file on their computers, the files will be completely different after they’ve been encrypted.
Note: The file name for the ransom note file will be JSWORM-DECRYPT.txt
Third Sign: The Technical Impacts
In addition to the aforementioned signs that you’ve been affected by JSWorm 2.0, you will notice that the following changes have taken effect.
- Database services have been stopped. Recovery mode is now disabled and you cannot use an old restore point. Shadow copies are gone and no recovery is possible.
- The EnableLinkConnections registry key is now set. This helps the attackers to get admin rights and attack the mapped drives.
- The Lanmanworkstation message block service has been restarted along with other server messaging block services.
IMPORTANT – The KEY
No matter what you do, DO NOT alter, delete or do anything else to the public key. This is what will help you to decrypt all of your encrypted files later on. Since it’s a lengthy string of random numbers and letters, it will be nearly impossible to accurately guess or recreate it if it’s lost or altered.
The Cure: Emsisoft Decrypter
Emsisoft, an antimalware company based in New Zealand, has recently developed a decrypter for JSWorm 2.0. Once you have confirmed that your computer is infected with the ransomware, simply download the Emsisoft JSWorm 2.0 decrypter program and run it as instructed below.
Using the Decrypter
Download the decrypter and save it in your Downloads folder or on your Desktop. Once the program is downloaded, complete the following steps:
1. Run the program as an administrator or as an administrator-level user.
2. The program will ask you to agree to its license agreement. Press the Agree button to continue.
Agree to the terms
3. The program will ask you on its Bruteforcer window to browse for and select the ransom note file.
Search for the ransom note file in the Bruteforcer window
4. Once selected, press the Start button. The program will extract the key value from the file and display it in a dialog box. Press OK when it appears.
The decryption key found
5. This will display the main window for the Emsisoft decrypter for JSWorm 2.0. It will give options to select any drive or folder to start the decrypting process. You can add a small folder first to see how the decryption works. Once tested, it is best to add whole drives so the program can search for all the encrypted files and decrypt them, instead of you having to add individual folders.
Add drives or folders
Once the decryption process is done, the decrypter will show the status as Finished in the Results tab.
Decryption is done!
When presenting the decrypter program with the ransom note file, be extra cautious that the file has not been tampered with.
The program uses the personal ID and the JSWORM PUBLIC KEY value in the ransom note file to decrypt the encrypted files. if the values are somehow changed, it may not work at all or end up further jumbling the already-encrypted files.
So, fight the temptation to edit the file. if you have already edited it, change it back exactly the way it was.
How Did You Get Infected in the First Place?
You’re likely wondering how you got infected with JSWorm 2.0 and you’re not alone in your confusion.
It’s not yet confirmed at this point how exactly anyone was infected with this particular ransomware. It is known, however, that it’s not bound by location since the victims are from seemingly random places all over the world.
Most Likely Method of Infection
The most common way of spreading viruses or similar malware is through file-sharing services where you download seemingly harmless files.
These files could be delivered to you through:
- Torrents or a comparable file-sharing service
- Shady websites offering free downloads
- Cracking or antivirus tools
- Free non-open source software
- Spam emails which claim to be offering pre-installed software updates, new software or even Microsoft Word documents
- Browser extensions
These files may come zipped so they seem harmless to the system until you download and open them.
The Word document files may contain macros with malicious code. They would ask you to enable the macros for that file to view them correctly. Once you do that, the macros execute the code, dropping the ransomware or virus into your computer.
These files may also come as application installers for free software. Once you run the installer, the program is installed along with the ransomware or the virus. You may find these installers on your quest to find some free application that you aren’t yet ready to pay for or want to try before you buy.
Browser extensions are also a popular method for distributing ransomware. You can download extensions and add-ons from fraudulent development studios that appear legitimate. Their rankings are achieved by purchased reviews, which create the illusion that they only do what they say they do.
How Can You Prevent This?
The best option to protect yourself from ransomware is to try to use software from legitimate developers and studios, even if you have to pay for them. The urge to use free software or to take a shortcut often results in an unexpected negative outcome.
Always download from trusted websites and file hosts, and only accept email attachments from known people or companies/organizations. Follow cybersecurity best-practices, have a tried and tested up-to-date antivirus program running all the time and use premium VPNs whenever you are online to hide your identity and secure your data.