JobCrypter Ransomware

The clandestine JobCrypter Ransomware is an infection that specifically targets computer users who are located in France. The demands of this ransomware are represented in French, and users are asked to pay the ransom using Paysafecard, a service that allows anonymous cash transactions. According to the ransomware note, this service can be used anywhere in France (“disponible partout en France”). Speaking of this ransomware note, it is represented via a text file called "Comment debloquer mes fichiers.txt", and it is usually placed on the Desktop, as well as in the %APPDATA% directory. Of course, most users discover this message only after the file encryption is completed. If you remove JobCrypter Ransomware – which is extremely important – your files will remain encrypted, and that is the main obstacle that computer users face. Please continue reading to find more about this ransomware.

JobCrypter Ransomware uses the TripleDES encryption algorithm to encrypt your personal files. The types of files that this ransomware targets includes .bin, .bk, .bmp, .dat, .doc, .docx, .gif, .gz, .htm, .html, .jpeg, .jpg, .js, .lnk, .mp3, .mp4, .pdf, .png, .ppt, .pptx, .sdf, .txt, .wma, .wmv, .xls, .xlsx, and .xml. This ransomware targets personal files because they cannot be replaced just as easily as system files, and users might be willing to pay a ransom in return for having them decrypted. Speaking of encryption, this ransomware has a loophole that could help you restore your files without having to pay the ransom. During the encryption, JobCrypter Ransomware creates a key under HKCU\Software in the Windows Registry with a value name “Code.” The value data includes a code that is a combination of 20 random characters, and this is your decryption key that you will be forced to pay the ransom to obtain. Of course, this code is deleted right after the encryption process is complete, and most users will not have the chance to retrieve it. Another thing to keep in mind is that encryption cannot be initiated without the Internet connection; however, if you disconnect after the encryption is initiated, you will not stop the process.

The encryption is initiated by a file called "Locker.exe". This file is dropped to the %APPDATA% directory, and it can be identified by the icon representing a padlock. It takes about 10-20 minutes for this file to initiate the encryption of your personal files. Afterward, every file encrypted will be branded with an additional extension, .locked (e.g., example.doc.locked). This locker.exe file is downloaded by a malicious executable that is usually spread via spam emails. In one of the instances, this malicious file was seen being sent from bordeaux@sothis.fr. As soon as this file launches the infection and your files get encrypted, you will be introduced to a window providing your original identification number, as well as an input field that you supposedly can use to enter a code to initiate file decryption. In order to retrieve this decryption code, you are asked to purchase Paysafecard cards worth of 300 EUR and send the codes of these cards to one of the provided emails (geniesanstravaille@[outlook/yahoo/gmail].fr). Paysafecard viruses were very popular in the past; however, the most recent ransomware infections, including HydraCrypt Ransomware and CryptoJoker Ransomware, have employed different ransom collection methods.

It is crucial to delete JobCrypter Ransomware; however, you must keep in mind that this will not help you unlock your personal files. Of course, this is not a problem if your personal files are backed up, and you can retrieve their copies, for example, using an external drive. However, if you value your files, you might choose to follow the demands of cyber criminals. Hopefully, you will not need to resort to this; however, if you do, make sure you do not share any personal information, and use an unused email address. If you do not have one, create it. Cyber criminals might record your email address and use it (or leak it to other unreliable parties that could use it) to scam you again. After you get rid of this infection, please install an anti-malware tool to protect your virtual security. If you skip this step, another malicious threat could slither in sooner than you think. If you have more questions, please post them in the comments section below.

JobCrypter Ransomware Removal

1. Open Explorer (Win+E) and enter %APPDATA% into the address bar.
2. Right-click and Delete the file called"Locker.exe".
3. Open RUN (Win+R), enter regedit.exe, and click OK.
4. In the Registry Editor move to HKCR\Applications\.
5. Right-click and Delete the Locker.exe key.
6. Move to HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.
7. Right-click and Delete the .locked key.
8. Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
9. Delete the value with the Value Data "C:\Users\user\AppData\Roaming\Locker.exe".