JuicyLemon targets Windows OS and is distributed via the Angler exploit kit, network shares, and malicious email attachments. Once a system is infected, JuicyLemon adds various values to the registry,, encrypts specific files types, contacts its C2 server via HTTP, and then drops a .bat file which deletes the original executable. JuicyLemon requests that victims send one of their encrypted files to support@juicylemon.biz or provectus@protonmail.com. It completely renames encrypted files to a combination of a unique victim ID number, an email address, and a Bitcoin wallet address. JuicyLemon demands a ransom payment of 1000 euros worth of Bitcoin.

  • Cylance provides more information about JuicyLemon here.
  • Bleeping Computer provides a free decryption tool for JuicyLemon here.

One example of the JuicyLemon variant. Image Source: Cylance