The sub-techniques beta is now live! Read the release blog post for more info.


JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.[1]

ID: S0389
Version: 1.0
Created: 18 June 2019
Last Modified: 30 June 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

JCry has used cmd.exe to launch PowerShell. [1]

Enterprise T1486 Data Encrypted for Impact

JCry has encrypted files and demanded Bitcoin to decrypt those files.[1]

Enterprise T1490 Inhibit System Recovery

JCry has been observed deleting shadow copies to ensure that data cannot be restored easily. [1]

Enterprise T1086 PowerShell

JCry has used PowerShell to execute payloads.[1]

Enterprise T1060 Registry Run Keys / Startup Folder

JCry has created payloads in the Startup directory to maintain persistence.[1]

Enterprise T1064 Scripting

JCry has used VBS scripts.[1]

Enterprise T1204 User Execution

JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer.[1]