To provide the computer user with information on what happened, the ransomware drops _readme.txt file in each folder. This file is often referred to as ransom note when it comes to ransomware attacks. In short, it explains that all data on the computer was encrypted with robust algorithms and the criminals behind it expect the user to pay a ransom in exchange for JHGN decryption tool and key.
Overview of the ransom note contents
The message in the _readme.txt note begins with a line asking for the user’s attention. The further statements explain that all files on the computer, including photos, videos, archives and other data formats were encrypted with the strongest encryption and unique key. The note suggests that victim can recover all files using a decryption software and decryption key, both in possession of ransomware operators. They recommend buying them from the attackers, or the data will remain encrypted for good. In other words, the threat actors try to extort the user after taking all of the files hostage. They recommend contacting them via email and leave two email addresses in the _readme.txt note – manager@time2mail.ch and supportsys@airmail.cc. According to the note, the victim can attach one encrypted file to the email message for test decryption. The criminals promise to respond with a decrypted file attached. In addition, they state how much the decryption tool and key costs. The note explains that the initial ransom amount is $980, however, if the victim rushes to contact the criminals within 72 hours (3 days), they will provide a 50% discount. It means the decryption tool would cost $490. After the initial contact, the criminals respond with the conditions regarding the ransom payment. They demand the victim to visit one of cryptocurrency exchange platforms and purchase cryptocurrency such as Bitcoin for the settled amount. Later, the victim will be asked to transfer the funds to the provided virtual wallet address. Such form of payment is untraceable, therefore law enforcement agencies such as FBI cannot track the threat actors down. Screenshot of the _readme.txt note dropped in each affected data folder on a computer. Regardless of the situation, cybersecurity experts and FBI stick to the recommendation of NOT paying the ransom to cybercriminals. One, it doesn’t guarantee data recovery in all cases, second, it helps the cybercriminals create more malware and infect more computers worldwide. Finally, they tend to target victims who are willing to pay up again and again.
Additional risks associated with ransomware attacks
STOP/DJVU variants such as JHGN ransomware virus have a tendency to drop additional malware on compromised systems. Most of the time, these malware samples were spotted spreading VIDAR or AZORULT Trojans. These are well-known information-stealing threats that can be remotely controlled by the attacker to steal sensitive data such as passwords, banking information, cryptocurrency wallets, browsing history and more. With their hands on such data, cybercriminals can plan and carry out further attacks, for example, blackmail the computer user. Ransomware-type viruses also tend to delete Volume Shadow Copies from infected systems and drop various helper processes and modify system files to prevent the computer user from deleting them easily. Moreover, they may also leverage backdoors to enable the attackers to compromise the computer system with additional malware anytime. For this reason, we strongly recommend that you take action to remove JHGN ransomware virus and related threats from the computer immediately. The best way to do this is boot your PC in Safe Mode with Networking and then run a genuine antivirus solution. Afterward, we recommend that you download RESTORO and scan your computer system with it to see which Windows OS files damaged by the virus are repairable. The full version of this tool can automatically fix the damage without the need to reinstall Windows OS.
Ransomware Summary
REPAIR VIRUS DAMAGE Screenshot of files encrypted by JHGN ransomware virus.
How ransomware-type threats infect computers and how you can protect yours?
To proliferate ransomware-type viruses, cybercriminals often make use of social engineering and phishing to trick the computer user into opening a malicious email attachment, downloading a fake pirated software version containing the malicious file, or clicking on a fake ad suggesting that some of programs in victim’s computer are outdated and need to be updated immediately. When it comes to STOP/DJVU variants, our team has noticed that the criminals behind it mostly tend to hide the payload in pirated software versions they advertise online. These may be found in a form of torrents or password-protected archives containing a fake setup. Once the computer user launches it with hopes to install and activate a desired software version without paying for a legitimate license key, the malware begins the attack instantly. We advise all computer users to rely on legitimate websites when sourcing programs. If you’re in need of a specific software, make sure you visit its official developer’s website or a confirmed partner’s/affiliate’s website only. If you try to bypass paying for the license fee in shady ways, you risk infecting your computer with a whole set of malware. Ransomware-type viruses also often arrive in a form of deceptive email attachments, mostly in Word, PDF, Excel or JS formats. The criminals may name them as regular documents, for instance, invoices, order details, pending payment details and similar. They seek to spark victim’s curiosity and trick one into opening the attachment without thinking. Unfortunately, these fake attachments are complimented with scripts that are programmed to download and execute the ransomware on victim’s computer. Once the malicious attachment is opened, there is no way going back. Keep in mind that the attackers often tend to spoof their sender’s address (make it look like it was sent from a legitimate well-known company’s email) and use logos of reputable companies to convince the victim that the sender’s intentions are benign. However, we recommend you to be cautious at all times and avoid interacting with emails that arrive unexpectedly or seem to urge you to take action without thinking (such as click on provided URL or review attached files). In addition, avoid visiting rogue websites promising 100% working decryption tools for STOP/DJVU variants. These websites might be promoting fake downloads hiding additional malware in them. The only tools you can trust in regards of decrypting/repairing files affected by this ransomware family variants were developed by Emsisoft and DiskTuna. Finally, we advise you to keep your computer protected with a genuine antivirus at all times. Make sure you choose one that has 24/7 real-time protection feature. Using such antivirus can prevent malware from infecting your computer even if you download a malicious file to your computer unknowingly.
Remove JHGN Ransomware Virus and Decrypt Your Files
Before you try to remove JHGN ransomware virus, we recommend that you boot your computer in Safe Mode with Networking. This system mode starts the computer with limited set of processes and features, thus deactivating malicious processes from hindering with your antivirus software activities. After booting in the said mode, you should run a full system scan to identify and remove malicious files associated with the described ransomware. Our team also recommends you to download RESTORO to help in restoring virus-affected Windows OS files. If you’ve managed to remove JHGN ransomware virus, do not forget to:
Report the incident to law enforcement agency in your local area.Search for and use data backups to use.Learn more about STOP/DJVU encrypted files and possible ways they could be repaired or decrypted.Immediately change all passwords that were previously used on the compromised computer.
OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove JHGN Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove JHGN Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt JHGN files
Fix and open large JHGN files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. JHGN Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt JHGN files, follow the given tutorial.
Meanings of decryptor’s messages
The JHGN decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your JHGN extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of JHGN Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.