JS.Crypto Ransomware

What is JS.Crypto Ransomware?

JS.Crypto Ransomware is most probably the worst thing that can happen to you right now. According to our malware specialists at Anti-Spyware-101.com, this is a very serious Trojan malware infection that attacks your computer stealthily, i.e., without your knowledge, and encrypt your most precious and most important files in a short time. Before you know it, all your pictures, videos, documents, and even databases will become unusable, and all you will realize will be a scary lock screen, or, in other words, a ransom note. This is a new and rather unique Trojan ransomware as it was entirely programmed in Javascript, HTML, and CSS; first time since ransomware infections have been around. Research shows that so far there have only been attacks on Windows operating systems, but our researchers confirmed that it can change in the future because of the capabilities of this JavaScript-based ransomware. Since there is no decryption method available as yet, you will most probably lose all your personal files unless you have backup copies stored on an external drive or you pay the ransom fee. You must remove JS.Crypto Ransomware right away because, otherwise, your computer will become totally useless and crippled. Please read our full report on this dangerous Trojan infection to understand how you could prevent such attacks in the future and how you can delete it manually.

Where does JS.Crypto Ransomware come from?

JavaScript is normally the programming language of HTML and the Web, but it is not limited to your browsers. In fact, this malware was built by using an open source product called NW.js, which is available at its official site, nwjs.io. Since this infection is based on JavaScript, it is possible for it to affect other systems, such as Mac OS X and Linux, which definitely makes this Trojan more dangerous than its usual peers. But this is not the only factor here that makes JS.Crypto Ransomware a real nightmare. As a matter of fact, the original creators of this Trojan saw an opportunity and decided to present their “child” as a service, which is called “Ransomware as a Service,” or RaaS. This is a relatively new way of making easy money for cyber criminals. They set up an underground website in the Tor network where practically anybody can sign up; there is only one condition: to have a valid Bitcoin address.

Once the BTC address is provided, a page comes up where a preferred version of JS.Crypto Ransomware can be set up. Different parameters are provided that include, for example, how much BTC to ask for – here the creators even give the criminals advice not to get greedy or else people will not pay – and what type of error message (ransom note) they want to display. When finished, the potential schemers can click on the download button at the bottom, which will generate their ransomware in a file called client.scr. This is a rather big self-extracting RAR archive with its 22Mbytes. Most infections in this category do not go over 1Mbyte. Research shows that the original creators take 25% off of every ransom payment that takes place extorted by any version of JS.Crypto Ransomware.

Since there can be an unknown number of secondary creators of this Trojan, it is hard to tell what the main distribution method is because it is obviously dependent on the individual creators. However, we can still enlighten you about the major and most frequent methods. It is essential to know how this dangerous Trojan can end up on your computer because with this knowledge you can actually protect your computer from this kind of attack.

One of the main infection sources is spam e-mails. Criminals can insert infected links in the body of e-mails and also attach infected files, such as image, video, and document files. Clicking on any of these can result in this Trojan landing on your computer. Therefore, it is vital to remember not to open unfamiliar e-mails and not to click on any link or attachment in e-mails that are not specifically sent to you with your knowledge. Another way this Trojan can be spread is through suspicious file-sharing websites. If you visit, for example, torrent or shareware sites, chances are you click on a potentially unsafe third-party advertisement. This can easily end with this dangerous Trojan sneaking onto your computer, and what is worse, it may also come along with other malicious software installers bundled together. That is why you should avoid such websites and clicking on advertisements. Download Removal Tool100% FREE spyware scan and
tested removal of JS.Crypto Ransomware*

How does JS.Crypto Ransomware work?

When the client.scr file is activated, it extracts itself to the %temp% directory. As a matter of fact, this Trojan uses quite a number of files for different tasks. From the temp directory, it then copies all the files to %AppData%\Chrome Browser. Obviously, this ransomware tries to hide itself by pretending to look like a legitimate Chrome folder. What’s more, its main executable file is also named chrome.exe, which is, in reality, the NW.js file itself, i.e., the file that contains the JavaScript code to encrypt your files and to display the ransom note.

Once everything is set up, the ransomware starts to encrypt your personal files. It can recognize and encrypt a great number of extensions, including .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .avi, .mov, .mp4, .3gp, .mpeg, .3dm, .max, .accdb, .db, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wav, .mp3, .aif, .iff, .m3u, .m4u, .php, .asp, .java, .jar, .class, .ppt, .pps. This malware uses the AES-128 encryption system. A key is generated for each file, which then gets encrypted by the RSA algorithm.

When JS.Crypto Ransomware finishes its job, depending on the settings of the particular Trojan, it displays its ransom note. This lock screen contains a number of bits of information regarding, for example, the payment method. You are given four days to pay; otherwise, the ransom fee increases. You have seven days altogether before the criminals destroy your decryption key. In order to convince you about their capability to decode your files, you are given a chance to decrypt one file of your choice for free. Although it may mean the loss of all your personal files, we do not recommend paying to these criminals. Of course, it is all up to you, but, please, consider that these are cyber criminals who may not keep their promises. It is essential to understand the importance of backing up files by saving them on an external drive, which you should then keep disconnected from your computer. If external drives are connected to your PC while such a Trojan is active on your system, it will most probably encrypt all your files stored on them as well.

How to delete JS.Crypto Ransomware?

So after the cold shower, it is time to talk about solutions. Since there are a number of variations how JS.Crypto Ransomware can behave based on the different settings it can be generated with, it is possible that you can delete the necessary files without having to restart your machine in Safe Mode. But it is also possible that you will need that. Therefore, we have prepared all the possible steps you may need. Please follow our guide below very carefully step by step if you want to remove JS.Crypto Ransomware manually. Since it is possible that some junk remains on your system or there are other infection present as well, we recommend that you use a professional antimalware application to automatically take care of all your security-related issues. Should you have any questions regarding the removal of this beast, please leave us a comment below.

Reboot in Safe Mode with Networking

Windows 8, Windows 8.1, and Windows 10

1. Tap Win+I and press the Power icon.
2. Hit and hold down the Shift key while clicking on Restart.
3. Pick Troubleshoot and click on Advanced Options.
4. Select Startup Settings and click Restart.
5. Hit F5 to reboot your computer in Safe Mode with Networking.

Windows XP, Windows Vista, and Windows 7

1. Reboot your computer and press the F8 key.
2. Pick Safe Mode with Networking from the menu and press Enter.

How to display hidden items in Windows File Explorer

Windows 8, Windows 8.1, and Windows 10

1. Tap Win+E to launch Windows File Explorer.
2. Choose the View menu.
3. Mark the Hidden items checkbox.

Windows Vista/Windows 7

1. Tap Win+E to open the File Explorer.
2. Press the Organize button.
3. Pick Folder and search options.
4. Choose the View tab.
5. Select Show hidden files and folders.
6. Press OK.

Windows XP

1. Tap Win+E to launch Windows File Explorer.
2. Select Tools from the menu.
3. Pick Folder Options and click on the View tab.
4. Select Show hidden files and folders and press OK.

How to remove JS.Crypto Ransomware

1. Tap Win+E to launch Windows File Explorer.
2. Copy and paste this path: “%AppData%\Chrome Browser” in the address bar and hit Enter.
3. Delete the Chrome Browser folder.
4. Copy and paste this path: "%AppData%\Microsoft\Windows\Start Menu\Programs\Startup" in the address bar and hit Enter.
5. Locate and removeChromeService.lnk
6. On your desktop, right-click on the Recycle Bin and click on the Empty Recycle Bin option.
7. Press Yes.
8. Reboot your PC in Normal Mode.

Download Removal Tool100% FREE spyware scan and
tested removal of JS.Crypto Ransomware*