JobCrypter ransomware - How to remove

JobCrypter ransomware is a crypto-demanding, file-locking virus. JobCrypter targets French-speaking users and asks for 500 euros in exchange for the precious locked files. In order for you to know which files are encrypted, it uses a typical ransomware technique to mark them with extensions .locked and .css at the end of the original file. The ransom note gives 9 emails and a personal code so that the victim can contact the crooks if they do want to get their files back. This virus is especially dangerous to the financial institutions because it does have additional features that allow it to track data, keylogg and spy victims.

Overall JobCrypter seems like a typical ransomware virus that is no different than Assembly, Unlockmeplease, Whoopsie,Xlocker, but there are a few reasons why it is more dangerous than its previous versions. In this article, we will help you understand more about how this virus operates, what it does, how to recognize it and delete it permanently. While mostly it targets France, it can affect every country because there are no borders in the virtual world.

What does JobCrypter virus do

JobCrypter virus was pretty active before in 2016, then asking around 50-100 euros, but this time it came back stronger and greedier asking for 500 euros in crypto coins also bringing a GUI. It is believed that the virus was created by Algerian hackers, because of the used slogans. Despite ransom note being written in French this virus has the same spreading, encrypting and processing features like its other variants and malware group. It spreads via email, therefore if you have recently seen any suspicious messages in your mail account, it would be best not to open them.

Once the virus is downloaded to the computer and activated it stops your current antivirus from working, then runs processes in the background modifying registry keys so that it would be more persistent and arise every time you restart your PC, looks for potential decryption files that are mainly in your Documents file directory and encrypts them with the serious algorithms. What is interesting that Reportedly JobCrypter doesn’t just lock the files, but actually targets French banks, works as a keylogger and an identity stealer, uses routing / C2, digital certificates. Despite it being targeted towards financial institutions it can do harm to regular users as well.

The final stage of JobCrypter is to drop a .txt file that contains information about what happened to the victims’ computer, how to contact the developers and how much is expected for a ransom. Additionally, ransomware drops an unlocker box, where user after paying can put his decryption key sent from hackers and unlock every file locked. A very similar approach like Arescrypt virus.  Take a look at this ransom note:

Bonjour, nous somme des êtres humains sans emplois, en cherche pas les problèmes,
en veux juste nourrir nos familles, nous vous demandant de ne pas faire des bêtises avec nous,
Parce que ce n’est pas bien pour vous,
Nous avons crypté tous vos fichiers et nous demandons de nous Payer une rançon de 500 EURO pour débloquer vos fichiers,
Nous vous garantissons le déblocage totale de vos fichier et ne plus jamais entendre parler de nous,
Moyen de Payement:
contactez nous sur l’un de ces emails pour en savoir plus.
[email protected] ([email protected]) ([email protected])
[email protected] ([email protected]) ([email protected])
[email protected] ([email protected]) ([email protected])
Toute demande de déblocage sans Payer sera automatiquement rejeté,
N’oubliez pas de préciser l’identifiant de votre Ordinateur sur le titre du mail, voici votre identifiant: xxxxxxx
En gis de bonne volonté et pour vous prouver que ce n’est pas une arnaque,
Nous allons décrypter un fichier gratuitement pour vous, à condition qu’il soit une photo, un Document PDF ou un fichier audio,
Veuillez nous envoyer un de vos fichiers Crypté en pièce-jointe à l’un des courriel cité au-dessus
et n’oubliez pas de préciser aussi l’identifiant de votre ordinateur pour que nous puissions localiser votre clé de décryptage parmi celle de nos clients.
Vous aurez une repense avec le Code de déblocage dans le même jour du payement.
Si vous supprimer ce fichier texte vous supprimer egalement votre fichier, regarder en dessous, votre fichier est la, Crypté en texte,
Veuillez nous excuser pour le désagrément.

In a nutshell the ransom note says the same thing that most of the ransom notes do: don’t try to remove virus because you will delete all the information, send hackers money in cryptocurrency, it is guaranteed that they will decrypt files and can prove it by unlocking a couple pdf, video and audio files. But please do not fall for this scam and follow our further directions on how to deal with JobCrypter ransomware, because you cannot trust hackers no matter what they tell you.

How did you get JobCrypter virus

There are many ways that crooks spread JobCrypter virus. Hackers always look for the easiest methods to access the computers and believe it or not, one of the most common technique that ransomware viruses are using is through bogus emails, which shows that people let malware into their systems themselves. These emails are usually very well socially engineered and can be targeted towards different kinds of users, therefore ransomware attacks are seen not only amongst personal home computers but in big corporations too. Actually, this current JobCrypter ransomware version is mainly targeting French banks, because it has more features that allow to not only to lock files but gather important data, track user acitivities and etc.

Hackers put together a very believable message that can seem that it came from your school, work, lawyer, government, hospital or client saying that there is an emergency and you need to open the attached link/file immediately. Once you do so, link asks you to download some sort of update or file itself to see it, same with attachment, which tells that you need to enable macros to work. If you are a curious and concerned person and will give such access, virus initiated the setup and in a few minutes, you have a compromised device. This is why avoiding ransomware requires a lot of precaution and safe browsing skills.

How to get rid of the JobCrypter ransomware fast

No discussion is necessary when it comes to deciding what to do if you have a JobCrypter ransomware infection in your computer. However, the question is, what is the best JobCrypter virus removal tool. Frankly speaking it is the best to take care of any type of viruses with a special program made specifically for this reason – anti-spyware tool. These tools were and still are irreplaceable when it comes to hunting the threats and deleting them without a trace. The reason why you need such a program is that their databases can be bigger than a multitasking antivirus, they have very sophisticated detection skills and can delete even the most notorious viruses.

Automatic Malware removal tools

How to restore JobCrypter virus encrypted files

After deleting the ransomware, you will notice that although the system will be clean, the encrypted files will still stay locked. At the moment of writing JobCrypter ransomware doesn’t have an Official decryptor, but there are a couple of ways you can try restoring your data. Below we prepared a guide on how to recover inaccessible files using their Shadow Copies. Sometimes more notorious virus variants tend to delete Shadow Copies, but it is worth trying this method.

Additionally, even if the recovery did not work for you, do not rush to pay the hackers yet. Keep the files stored, no matter the fact that they are locked, because malware enthusiasts and antivirus companies are working hard to keep up with the newest crypto-lockers, furthermore crypto miners are pushing out ransomware pretty rapidly, that is why there is a great possibility that very soon there will be a tool to unlock your data very soon. As you can see, one of the best malware researchers @demonslay335 is already taking time to solve JobCrypter virus.

How to delete JobCrypter virus manually

The manual removal is more challenging, but still possible if done correctly. This is the best method to choose if you do not have the ability to download any security software, but it does take time and cannot fully delete all the threats that have infected your PC, unless you do the full system restore, but mind you, that if you would take the most radical measure, your files would be gone too. So instead of starting from the scratch, follow our precise guide on how to fix JobCrypter ransomware damage.

How to recover JobCrypter ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before JobCrypter ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of JobCrypter ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to JobCrypter ransomware. You can check other tools here.  

Step 3. Restore JobCrypter ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually JobCrypter ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover JobCrypter ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.