JobCrypter Ransomware

What is JobCrypter Ransomware?

The attack of JobCrypter Ransomware is very quick and very aggressive. This infection is launched using a malicious file that might pretend to be a PDF file, a photo, or some other harmless type of file. It is most likely that this malicious file will come as an attachment to a misleading spam email sent from an unfamiliar sender, such as bordeaux@sothis.fr. Once launched, this infection unleashes locker.exe to encrypt personal files. If you do not intercept this process, your photos, videos, documents, and other personal files will be encrypted using the Triple DES encryption algorithm. Unfortunately, if your files are encrypted successfully, the only way for you to decrypt them is by paying a ransom requested via a TXT message created by this ransomware. Of course, if copies of your personal files are stored in an external drive or using a file hosting service, you do not need to worry about decrypting your files. In either case, you MUST delete JobCrypter Ransomware, and we can show you how to do that.

WARNING! If you have recognized this infection right after it got in, you might be able to evade all problems. Our researchers have found that this ransomware creates a decryption key and reveals it in the Value Data section. The name of the value is "Code", and it is located under HKEY_CURRENT_USER\SOFTWARE. The key has 20 random characters, and you need to copy it before the encryption process is completed, after which the key is automatically deleted. If you do not manage to erase the infection before it encrypts files, you might be able to use this key to decrypt them for free.

How does JobCrypter Ransomware work?

Anti-Spyware-101.com researchers have analyzed plenty of malicious ransomware infections. A few years back we saw an emergence of ransomware using the credentials of authentic organizations and employing Paysafecard, Ukash, MoneyPak, and similar anonymous payment systems to collect the so-called fines. Loadit Ransomware – also known as GVU Virus – is one of these infections. Although JobCrypter Ransomware does not hide behind fake credentials, it uses Paysafecard to collect the ransom, which comes up to 300 Euro. The ransom is requested via a .txt file, "Comment debloquer mes fichiers.txt", which you can find on the Desktop and in the %APPDATA% directory, and it might open up on your screen automatically. The message states that the ransomware was created by unemployed people who have resorted to extortion to feed their families, which is a complete nonsense, and you should not pay attention to it. You also should not contact the emails provided – geniesanstravaille@outlook.fr, geniesanstravaille@yahoo.fr, or geniesanstravaille@gmail.com – unless you are paying the ransom, which is not what we recommend. The information you disclose by contacting these emails – including your own email address – could be used in a malicious way.

Our malware analysts have tested several different tools designed for decrypting files; however, they did not work. Unfortunately, removing JobCrypter Ransomware will not solve the problem either. If you erase the extension attached to the encrypted file (.locked), the file will remain locked as well. It appears that the only way to decrypt personal files is by following the instructions introduced to you via the TXT file. The information in this file is in French, and it appears that this infection is location specific. If you live outside of France, and your operating system got infected with this ransomware, let us know by commenting below. Some ransomware infections were found to target specific regions with specific notifications, and it is possible that a ransomware message in German will be presented to you if you live in Germany. In any case, regardless of where you live, ransomware is incredibly malicious, dangerous, and aggressive, and most users, unfortunately, are incapable of protecting themselves from it.

How to delete JobCrypter Ransomware

It is essential for you to remove JobCrypter Ransomware from your operating system regardless of how you go about the situation with the file encryption. If your files are backed up, simply follow the guide below to erase this malicious threat from your operating system. If you decide to lose your personal files because you do not want to satisfy cyber criminals or if you pay the ransom, you still need to delete this infection, and you can use the same guide for this. Of course, we recommend using an anti-malware tool instead because it can automatically eliminate all existing infections and ensure further protection against them. Now, if you choose the manual option, you will need to think about Windows security separately.

Removal Instructions

1. Open the Explorer (tap Win+E).
2. Enter %APPDATA% into the address bar.
3. Delete the Locker.exe file.
4. Open RUN (tap Win+R).
5. Type in regedit.exe and click OK.
6. Navigate to HKCR\Applications\.
7. Delete the Locker.exe key.
8. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
9. Delete the .locked key.
10. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
11. Delete the value whose value data is "C:\Users\user\AppData\Roaming\Locker.exe".

Download Removal Tool100% FREE spyware scan and
tested removal of JobCrypter Ransomware*