1 of 5
Danger level 9
Type: Trojans
Common infection symptoms:
  • Can't be uninstalled via Control Panel
  • Installs itself without permissions
  • Changes background
  • Connects to the internet without permission
  • System crashes
  • Slow Computer

JS.Crypto Ransomware

JS.Crypto Ransomware is a very harmful infection that targets computers with the Windows OS. As the threat itself is created using NW.js, which is known to be a framework for the development of new applications, it means that JS.Crypto Ransomware itself is based on the JavaScript. Specialists working at pcthreat.com say that there is a small possibility to affect Linux and MaxOS X using the JavaScript too, which means that JS.Crypto Ransomware might start spreading among the users of these operating systems as well. In our opinion, all the users have to be very cautious no matter which OS they use. It is because recent research has shown that it is possible to become an affiliate of JS.Crypto Ransomware, i.e. to distribute it by selecting specific options, e.g. whether or not to fully lock the computer, show Lockscreen, and even the amount of Bitcoins to demand. The original owners of JS.Crypto Ransomware probably get some money for that. We are sure that you will recognize if JS.Crypto Ransomware manages to enter the system because you will see that you cannot access your major files. Unfortunately, JS.Crypto Ransomware might encrypt your new files once again too, so make sure that you remove this infection from your PC before you store new files on your computer.

It has been noticed that JS.Crypto Ransomware itself encrypts hundreds of different files. These files are documents, pictures, music, and videos mainly, so they usually have the following extensions: .jpg, .jpeg, .pmd, .ppsx, .mp3, .mp4, .mpeg, .wmv, .sdf, .mpa, .dot, .docx, .aet, .ppj, .indl, .3gp, and others. Their appearance will probably not change, but you will simply not be able to access any of them. The inability to access the majority of files is not the only symptom which shows that a ransomware infection has slithered onto your computer. Specialists working at pcthreat.com say that you will definitely notice a warning message on your screen too. If you see it (the text of the message is provided below), there is no doubt that JS.Crypto Ransomware has managed to enter your system.


All your data (photos, documents, databases, etc) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The private key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.

As can be seen, cyber criminals seek to convince users to make a payment. They give only 4 days for that and say that the payment will increase after the time ends. They also promise to decrypt one file for free in order to prove that they can decrypt all of them. It is up to you whether to make a payment of 0.1 Bitcoins (approximately $35) or not; however, we do not recommend doing that if you have a backup (e.g. files on a USB flash drive) of your files. Unfortunately, there is no other way to gain access to files at the moment.

JS.Crypto Ransomware is distributed as a client.scr file. As it is a WinRAR self-extracting archive, it will immediately extract files to %Temp% and %AppData%\Microsoft\Windows\Start Menu\Programs\Startup directories and add a shortcut in Startup after a user clicks on it. It has been observed that JS.Crypto Ransomware adds the following files to the system:

  • chrome – has a copy of the GPL license agreement inside.
  • chrome.exe – contains the actual malware code.
  • ffmpegsumo.dll, nw.pak, locales, and icudtl.dat – contains data necessary for NW.js framework.
  • rundll32.exe – contains a copy of the TOR client.
  • s.exe – contains a copy of Optimum X Shortcut.
  • g – contains information necessary for the configuration of ransomware.
  • msgbox.vbs – script that displays a pop-up message on the screen.
  • u.vbs – script that deletes files and folders in different directories.

As can be seen, JS.Crypto Ransomware adds files that resemble legitimate Google Chrome files, e.g. chrome.exe in order not to be detected and removed so easily. We also want to mention that JS.Crypto Ransomware will add ChromeService.lnk to the main directory (%AppData%\Microsoft\Windows\Start Menu\Programs\Startup) in order to be able to start together with Windows OS.

JS.Crypto Ransomware is spread using different ways. Specialists have found out that it might enter your system after you click on a bad link or advertisements, open a spam email attachment, or download an unreliable program from a third-party web page, torrent or a file-sharing website. JS.Crypto Ransomware is definitely not the only ransomware infection that exists, so we highly recommend that you install a reputable security tool if you want to protect your system from similar infections that might try slither onto your PC.

It is definitely not easy to remove JS.Crypto Ransomware manually; however, you still have to do that because this threat might encrypt your new files. Below are placed instructions which will help you to get rid of this threat manually. In case you do not feel experienced enough to do that yourself, scan your system with the SpyHunter antimalware scanner. Either you implement the JS.Crypto Ransomware removal yourself or use an automatic tool, this, unfortunately, will not help you to decrypt your files.

Remove JS.Crypto Ransomware from PC

Display hidden files and folders

Windows XP

  1. Open the Start button and go to Control Panel.
  2. Double-click on Folder Options and open the View tab.
  3. Click a button next to Show hidden files and folders to enable it.
  4. Remove the tick from Hide protected operating system files (Recommended).
  5. Click Apply.

Windows 7/Vista

  1. Click the Organize button in any folder and select Folder Search Options.
  2. Mark the Show hidden files and folders button.
  3. Remove the checkbox from Hide protected operating system files (Recommended).
  4. Click Apply.

Windows 8/8.1/10

  1. Open the File Explorer.
  2. Open the View tab and click Options.
  3. Select Change folder and search options.
  4. Mark Show hidden files and folders.
  5. Remove the tick from the Hide protected operating system files (Recommended) box.

Delete directories and files

  1. Open the Task Manager (Ctrl+Shift+Esc), open the Processes tab, find the chrome.exe process and kill (right-click on it and select End Process) it if a warning message cannot be closed.
  2. Launch RUN (Windows key + R).
  3. Enter %AppData%\Chrome Browser in the box and click OK.
  4. Delete this directory.
  5. Launch RUN again and enter %AppData%\Microsoft\Windows\Start Menu\Programs\Startup .
  6. Click OK.
  7. Find and remove ChromeService.lnk.
Download Spyware Removal Tool to Remove* JS.Crypto Ransomware
  • Quick & tested solution for JS.Crypto Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.