Similar to a previously detected ransomware virus, named Johny Cryptor, the John Crypter ransomware infection has been detected to spread a malicious .bin file and infect computers in different locations over the globe. The virus aims to encrypt the files on the computers compromised by it, after which display a ransom not where 500$ are demanded as a ransom payoff in bitcoin. In case you have become a victim of the John Crypter ransomware threat, we recommend reading the following material carefully.
|Short Description||The virus encrypts files on computers infected by it after which demands $500 down payment for the decryption.|
|Symptoms||The victim may not be able to open the files. A custom file extension may be appended to them. Ransom note file is also dropped.|
|Detection Tool|| See If Your System Has Been Affected by John Crypter |
Malware Removal Tool
|User Experience||Join our forum to Discuss John Crypter.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
John Crypter Virus – Distribution
The methods for spreading the John Crypter ransomware virus may vary. For starters, the virus may spread via e-mail. Multiple methods of it being spread via mail are via malicious e-mail attachments or malicious web links. Such attachments or web links may be obfuscated via being uploaded through clean files, such as archives or URLs leading to cloud accounts where the malicious files are open for download. An example for such e-mail containing fake convincing statements can be seen below:
Another method of redistributing John Crypter ransomware may be through different fake setup files, fake updates and patches or key generators that are posted on the web. The usual websites they may reside are suspicious software download sites as well as websites that contain torrents.
John Crypter – Infection Activity
After the user has opened a malicious infection file the virus may drop the payload of John Crypter, which may consist of the following file, also related to an executable named ransomeware.exe:
In addition to this file, other support files and the wallpaper of the ransomware infection are also dropped. They may reside under different names in the following Windows locations:
Part of the malicious activity of the John Crypter ransomware may be to modify various registry editor keys to make the malicious ransomeware.exe virus file run on Windows boot. This is achievable by creating value strings In the following Windows sub-keys:
In addition to this activity, the John Crypter ransomware may also delete the shadow volume copies on Windows machines by executing different versions of the vssadmin command on the infected computer:
John Crypter Ransomware – Encryption Process
The encryption of John Crypter targets multiple different often used files on the computers that are infected with it. The virus may look for the following file types:
.jpg, .jpg2, .png, .ppt, .pptm, .pptx, .bmp, .doc, .docm, .docx, .docxml, .pdf, .gif, .rtf, .tar, .targz, .targz2, .txt, .xlmv, .xls, .xlsm, .xlsx, .xml, .mkv, .mov , .mp4, .mpeg, .mpg, .msg, .myd, .myi, .obj, .odb, .odc, .odm, .ods, .oft,. one, .onepkg, .onetoc2, .opt, .oqy, .p7b, .p7c, .pcx, .pdd, .pdp, .pem, .pfx, .php, .php3, .php4, .php5, .phtml, .pl, .pm, .pot, .potm, .potx, .pps, .ppsn, .prn, .pst, .ptx, .pxr, .py, .ai3, .ai4, .ai5, .ai6, .arw, .as, .ASA, .ascx, .asmx, .asp, .aspx,. asr, .avi, .bak, .bay, .bz2, .c, .cdr, .cer, .cfc, .cfn, .cfnl, .cin, .chm, .class, .config, .cpp, .crt, .cs, .css, .csv, .cub, .dae, .db, .dc3, .dcm, .der, .dic, .dif, .divx, .djvu, .dl, .dot, .dotm , .dotx, .dpx, .dqy, .dtd, .dwg, .dx, .dxf, .dsn, .dwt, .eps, .exr, .fido,. frm, .gz, .h, .hpp, .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .ind, .ini, .iqy, .j2c, .i2k, .java, .jp2, .jpc, .jpf, .jpx, .js, .jso, .json, .kmz, .lbi, .m4v, .mdb, .mdf, .mef , .mht, .mhtml, .r3d, .rar, .rdf, .rle , .rqy, .rss, .rw2, .rwl, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql,. srw, .ssi, .stn, .svg, .svg2, .swf, .tdi, .tga, .tld, .u3d, .udl, .uxdc, .vcs, .vda, .wbm, .wbmp, .xlk, .xlm, .xltx, .xlw, .xsd, .xsl, .xsc, .xslt, .xz, .wb2, .wim , .wmv, .zip, .3fr, .3gp, .7z
And the list of files encrypted by this ransomware virus may include even more files that are encrypted besides the ones above. After the encryption process has completed, John Crypter renders those files no longer openable and drops the following lockscreen ransom note.
Ransom note text:
All Your Files are Encrypted by John Crypter
Warning: Do not turn off your Computer EITHER you will LOST all your files
If you want to decrypt your files follow this simple steps:
2.)Buy Bitcoins worth of $500
3.)Send $500 in BitCoin to Given Address
4.)Go to xxx.xxx.xxx and Enter your Personal ID
5.)You will get your Decryption Key.
6.)Enter it in Given Box and Click on Decrypt
7.)Restart your Computer and Delete any encrypted file you find.”
The lockscreen message threatens that the files will be deleted after the infected computer is restarted and since this is completely achievable, users are strongly advised to backup the encrypted files on multiple different external drives or in the cloud, before removing the virus and trying to restore the data.
John Crypter Virus – Remove It and Restore Encrypted Files
For the removal process to succeed, a go practice is if you follow the removal instructions posted below. They are specifically created to help you succeed in the removal of the all files related to John Crypter malware. In case manual removal represents a difficulty or you feel unsure, security experts often advise using an advanced anti-malware tool for maximum effectiveness, automatic removal of John Crypter and future protection.
In case you are looking for ways to restore the encrypted files, keep checking our blog as we will update it if there is any free decrypter for this ransomware virus. In the meantime, we strongly advise you to check the alternative tools to restore your files in step “2. Restore files encrypted by John Crypter” underneath. They may not restore 100% of your encrypted files, but may succeed in restoring a porton of them.
Manually delete John Crypter from your computer
Note! Substantial notification about the John Crypter threat: Manual removal of John Crypter requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.