JuicyLemon targets Windows OS and is distributed via the Angler exploit kit, network shares, and malicious email attachments. Once a system is infected, JuicyLemon adds various values to the registry,, encrypts specific files types, contacts its C2 server via HTTP, and then drops a .bat file which deletes the original executable. JuicyLemon requests that victims send one of their encrypted files to firstname.lastname@example.org or email@example.com. It completely renames encrypted files to a combination of a unique victim ID number, an email address, and a Bitcoin wallet address. JuicyLemon demands a ransom payment of 1000 euros worth of Bitcoin.