John Crypter Ransomware (Restore Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

John Crypter Ransomware (Restore Files)

This article has been made to show you how to remove John Crypter ransomware and try to get back files encrypted by this virus for free.

Similar to a previously detected ransomware virus, named Johny Cryptor, the John Crypter ransomware infection has been detected to spread a malicious .bin file and infect computers in different locations over the globe. The virus aims to encrypt the files on the computers compromised by it, after which display a ransom not where 500$ are demanded as a ransom payoff in bitcoin. In case you have become a victim of the John Crypter ransomware threat, we recommend reading the following material carefully.

Threat Summary

Name

John Crypter

TypeRansomware
Short DescriptionThe virus encrypts files on computers infected by it after which demands $500 down payment for the decryption.
SymptomsThe victim may not be able to open the files. A custom file extension may be appended to them. Ransom note file is also dropped.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by John Crypter

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss John Crypter.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

John Crypter Virus – Distribution

The methods for spreading the John Crypter ransomware virus may vary. For starters, the virus may spread via e-mail. Multiple methods of it being spread via mail are via malicious e-mail attachments or malicious web links. Such attachments or web links may be obfuscated via being uploaded through clean files, such as archives or URLs leading to cloud accounts where the malicious files are open for download. An example for such e-mail containing fake convincing statements can be seen below:

Another method of redistributing John Crypter ransomware may be through different fake setup files, fake updates and patches or key generators that are posted on the web. The usual websites they may reside are suspicious software download sites as well as websites that contain torrents.

John Crypter – Infection Activity

After the user has opened a malicious infection file the virus may drop the payload of John Crypter, which may consist of the following file, also related to an executable named ransomeware.exe:

In addition to this file, other support files and the wallpaper of the ransomware infection are also dropped. They may reside under different names in the following Windows locations:

Part of the malicious activity of the John Crypter ransomware may be to modify various registry editor keys to make the malicious ransomeware.exe virus file run on Windows boot. This is achievable by creating value strings In the following Windows sub-keys:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In addition to this activity, the John Crypter ransomware may also delete the shadow volume copies on Windows machines by executing different versions of the vssadmin command on the infected computer:

John Crypter Ransomware – Encryption Process

The encryption of John Crypter targets multiple different often used files on the computers that are infected with it. The virus may look for the following file types:

.jpg, .jpg2, .png, .ppt, .pptm, .pptx, .bmp, .doc, .docm, .docx, .docxml, .pdf, .gif, .rtf, .tar, .targz, .targz2, .txt, .xlmv, .xls, .xlsm, .xlsx, .xml, .mkv, .mov , .mp4, .mpeg, .mpg, .msg, .myd, .myi, .obj, .odb, .odc, .odm, .ods, .oft,. one, .onepkg, .onetoc2, .opt, .oqy, .p7b, .p7c, .pcx, .pdd, .pdp, .pem, .pfx, .php, .php3, .php4, .php5, .phtml, .pl, .pm, .pot, .potm, .potx, .pps, .ppsn, .prn, .pst, .ptx, .pxr, .py, .ai3, .ai4, .ai5, .ai6, .arw, .as, .ASA, .ascx, .asmx, .asp, .aspx,. asr, .avi, .bak, .bay, .bz2, .c, .cdr, .cer, .cfc, .cfn, .cfnl, .cin, .chm, .class, .config, .cpp, .crt, .cs, .css, .csv, .cub, .dae, .db, .dc3, .dcm, .der, .dic, .dif, .divx, .djvu, .dl, .dot, .dotm , .dotx, .dpx, .dqy, .dtd, .dwg, .dx, .dxf, .dsn, .dwt, .eps, .exr, .fido,. frm, .gz, .h, .hpp, .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .ind, .ini, .iqy, .j2c, .i2k, .java, .jp2, .jpc, .jpf, .jpx, .js, .jso, .json, .kmz, .lbi, .m4v, .mdb, .mdf, .mef , .mht, .mhtml, .r3d, .rar, .rdf, .rle , .rqy, .rss, .rw2, .rwl, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql,. srw, .ssi, .stn, .svg, .svg2, .swf, .tdi, .tga, .tld, .u3d, .udl, .uxdc, .vcs, .vda, .wbm, .wbmp, .xlk, .xlm, .xltx, .xlw, .xsd, .xsl, .xsc, .xslt, .xz, .wb2, .wim , .wmv, .zip, .3fr, .3gp, .7z

And the list of files encrypted by this ransomware virus may include even more files that are encrypted besides the ones above. After the encryption process has completed, John Crypter renders those files no longer openable and drops the following lockscreen ransom note.

Ransom note text:

“Attention
All Your Files are Encrypted by John Crypter
Warning: Do not turn off your Computer EITHER you will LOST all your files
If you want to decrypt your files follow this simple steps:

1.)Create BitcoinWallet.
2.)Buy Bitcoins worth of $500
3.)Send $500 in BitCoin to Given Address
4.)Go to xxx.xxx.xxx and Enter your Personal ID
5.)You will get your Decryption Key.
6.)Enter it in Given Box and Click on Decrypt
7.)Restart your Computer and Delete any encrypted file you find.”

The lockscreen message threatens that the files will be deleted after the infected computer is restarted and since this is completely achievable, users are strongly advised to backup the encrypted files on multiple different external drives or in the cloud, before removing the virus and trying to restore the data.

John Crypter Virus – Remove It and Restore Encrypted Files

For the removal process to succeed, a go practice is if you follow the removal instructions posted below. They are specifically created to help you succeed in the removal of the all files related to John Crypter malware. In case manual removal represents a difficulty or you feel unsure, security experts often advise using an advanced anti-malware tool for maximum effectiveness, automatic removal of John Crypter and future protection.

In case you are looking for ways to restore the encrypted files, keep checking our blog as we will update it if there is any free decrypter for this ransomware virus. In the meantime, we strongly advise you to check the alternative tools to restore your files in step “2. Restore files encrypted by John Crypter” underneath. They may not restore 100% of your encrypted files, but may succeed in restoring a porton of them.

Manually delete John Crypter from your computer

Note! Substantial notification about the John Crypter threat: Manual removal of John Crypter requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove John Crypter files and objects
2.Find malicious files created by John Crypter on your PC

Automatically remove John Crypter by downloading an advanced anti-malware program

1. Remove John Crypter with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by John Crypter
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...