Home / Spyware Help / JobCrypter Ransomware Removal Guide

JobCrypter Ransomware Removal Guide

by 0 Comments

Do you know what JobCrypter Ransomware is?

JobCrypter Ransomware is a type of Trojan that is configured to encrypt personal files for the purpose of extorting money from its victims. So, needless to say, you have to remove this infection if your computer is infected with it. However, the damage has already been done. Recovering your compromised files requires a decryption key that you can get by paying the ransom, but you might not get it even after paying the ransom. Thus, you should invest in an antimalware program to prevent infections such as this one from entering your computer in the first place. Nevertheless, those who had their computers infected with this ransomware have a unique 10-20 minute window of opportunity to get the decryption key for free.

So let us get to it right away. The decryption key is temporarily stored in the Windows Registry. The registry key you should be looking for is in HKCU\Software. Its value name is Code. Click on it to reveal the 20 character decryption key and enter it in the resulting window after the encryption process is complete. However, as you can see, you have to move swiftly, because once the encryption is complete, the decryption key will be lost forever. While testing this infection, our researchers attempted to restore the registry to get the decryption key using a program called Yaru but to no avail. Unfortunately, the restoration process was unsuccessful.JobCrypter Ransomware Removal GuideJobCrypter Ransomware screenshot
Scroll down for full removal instructions

JobCrypter Ransomware uses the TripleDES symmetric-key block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block. Therefore, it is next to impossible to decrypt using third-party decryption tools. Note that this ransomware only targets files that are likely to contain personal information. Our researchers have found that this ransomware encrypts various file types that include:

bin, .bk, .bmp, .cfg, .dat, .db, .doc, .docx, .gif, .gz, .htm, .html, .ini, .jpeg, .jpg, .js, .lnk, .mp3, .mp4, .pdf, .png, .ppt, .pptx, .sdf, .tmp, .txt, .wma, .wmv, .xls, .xlsx, .xml.

As mentioned, the encryption process will approximately take from 10 to 20 minutes. It will begin the encryption process only if the computer is connected to the Internet, but disconnecting mid encryption will not abort the process. This ransomware will add a .locked file extension in addition to the aforementioned extensions (e.g. document.docx.locked.)

JobCrypter Ransomware has one executable file called Locker.exe which is dumped in %APPDATA%. Once the encryption process is complete, this infection will create a .txt file named Comment debloquer mes fichiers.txt. All of the information on it is written in French, but in short; it explains what has happened and how to pay the ransom. Note that the ransom can be anywhere from 50 to a 100 Euros. However, we want to inform you that you might not get the decryption key after you pay the ransom and will be left empty-handed.

Preventing malware from entering your PC in the first place is, of course, highly desirable. However, it is not always possible, especially when malware developers employ deceptive distribution techniques. Our researchers have found that JobCrypter Ransomware is distributed via email spam that may be sent from various addresses. Our analysts have found that this ransomware is sent from an address named Bordeaux@sothis.fr. It may contain some fictitious text to get your attention and create a sense of urgency. The email contains a self-extracting archive file that will dump the executable Locker.exe. The self-extracting process may be halted and terminated by an antimalware program, so make sure to get one to prevent future infections.

Unlike most ransomware, JobCrypter Ransomware has an exploit that you can use to your advantage and defeat it. However, you must take action quickly which is not always possible. So if your computer has been infected with this ransomware and it has encrypted all of your personal files, please resist the temptation to pay the ransom, because by paying it you will fund the development of future ransomware. Please consult the instructions on how to safely remove JobCrypter Ransomware.

How to remove this ransomware

Windows XP

  1. Open the Start menu and click Restart.
  2. Press and hold the F8 key while the computer restarts.
  3. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking.
  4. Press Enter.
  5. Log on to your computer.

Windows 7 and Vista

  1. Open the Start menu and click the arrow next to the Shut Down button.
  2. click Restart.
  3. Press and hold the F8 key as your computer restarts.
  4. On the Advanced Boot Options screen, use the arrow keys to highlight Safe Mode with Networking.
  5. Press Enter.
  6. Log on to your computer with administrator rights.

Windows 8 and 8.1

  1. Press the Windows+C keys and click Settings.
  2. Click Power, hold down Shift on your keyboard and click Restart.
  3. Click Troubleshoot, click Advanced options, and select Startup Settings.
  4. Click Restart and press 5 on your keyboard to Enable Safe Mode with Networking.

Windows 10

  1. Open the Start menu and click the Power button.
  2. Hold down the Shift key and click Restart.
  3. Select Troubleshoot.
  4. Go to Advanced options and select Startup Settings.
  5. Select Restart and select Enable Safe Mode with Networking.

Option 1. Manual removal

  1. Open Windows Explorer by simultaneously pressing the Windows+E keys.
  2. Enter %APPDATA% in the window’s address bar.
  3. Find Locker.exe, right-click on it, and click Delete.

Delete the registry keys

  1. Open Run by simultaneously pressing the Windows+R keys.
  2. Enter regedit in the dialog window and click OK to open the Windows Registry.
  3. Find and Delete the following registry keys.
    • HKCR\Applications\Locker.exe
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.locked
  4. Find HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  5. Delete ValueData C:\Users\user\AppData\Roaming\Locker.exe

Option 2. Automatic removal

  1. Go to http://www.spyware-techie.com/download-sph
  2. Download SpyHunter-Installer.exe
  3. Run the installation Wizard.
  4. Once installed, launch the program.
  5. Perform a full system scan.
  6. Click Fix Threats.
  7. All done.

In non-techie terms:

JobCrypter Ransomware encrypts various file formats and wants you to pay for the decryption key that only it can provide. It uses an advanced encryption algorithm that is probably impossible to decrypt using third-party tools. However, we do not recommend paying the ransom because you might not receive the promised decryption key. Therefore, we recommend that you remove this ransomware and try to restore your files from backups if you have any.