1 of 3
Danger level 7
Type: Trojans
Common infection symptoms:
  • Can't be uninstalled via Control Panel
  • Installs itself without permissions
  • Connects to the internet without permission
  • System crashes
  • Slow Computer

JohnyCryptor Ransomware

JohnyCryptor Ransomware is an infection that, according to our research, was created by malware developers in India. Similarly to the recently unleashed Saraswati Ransomware, this infection uses malicious files to encrypt your personal files as well as executables, which makes it impossible to open certain applications, including web browsers and antivirus software. Needless to say, this is done to make it harder for you to research the ransomware or its removal. Although removing JohnyCryptor Ransomware has nothing to do with the decryption of your personal files, it is crucial that you erase this threat as soon as you can. First, read the report to learn about the distribution and the activity of this devious threat.

According to our researchers, JohnyCryptor Ransomware is mainly spread via spam emails, and its installer might be concealed as a harmless file (e.g., document, invoice, or photo). Of course, other methods of distribution could be employed as well as cyber criminals keep inventing new ways to spread their malicious products. Beware of social-engineering scams, drive-by download attacks, and the infiltration of malware-downloading Trojans. If the malicious JohnyCryptor Ransomware is executed on your computer successfully, it immediately encrypts the files it is set up to encrypt in all directories except for %WINDIR%. It would make no sense for this ransomware to corrupt system files because this could lead to system crashes and inability to use the PC at all, which might disrupt the payments that the creator of this infection expects. Unfortunately, this devious threat can encrypt the executables of antivirus tools if they are not updated in time to detect and delete this ransomware.

Unlike some of the threats of its kind, JohnyCryptor Ransomware does display an obnoxious, screen-locking notification representing the scary demands. Instead, it creates a file, "How to decrypt your files.txt", that lists Johnycryptor@aol.com and Johnycryptor@india.com email addresses that you supposedly need to contact to get your files decrypted. Additionally, it replaces your regular wallpaper with an image that provides some information. The message within the image states that you need an original decryption tool that only cyber criminals can provide you with if you email Johnycryptor@aol.com. The second email address is attached below, and it is listed as an emergency one. Whichever email you contact, you will receive instructions to pay a ransom. Have you paid the ransom but the files remain encrypted? Unfortunately, this is something that many ransomware victims deal with, which is why we never recommend following the instructions and paying the requested sums.

The files encrypted by JohnyCryptor Ransomware are very easy to identify because they gain a noticeable extension, “id-[random ID].Johnycryptor@aol.com.xtbl". Needless to say, the random ID is a unique ID that is allocated to every victim. Should you remove this extension, the file will remain encrypted. Another thing regarding the encryption of files is that this ransomware is capable of re-encrypting new files after the PC is restarted. So, if you, for example, move your healthy files from the backup, they will be encrypted the next time you restart your computer. Do you have a backup where all of your important files are stored? If you do, the encryption of the files on your PC should not faze you because you have a way of restoring them without decrypting the ones that are already encrypted. You have a bigger problem if your files are not backed up. Although you might want to pay the ransom, check out third-party tools – the ones that JohnyCryptor Ransomware tries to scare you off – that might help you decrypt files. The worst thing you can do is expect cyber crooks to work to your advantage.

After execution, JohnyCryptor Ransomware replicates itself (random names) in %WINDIR%\SysWOW64 and %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directories. The latter directory also includes TXT and JPG files that represent the demands of this ransomware. If you are scared that you are going to remove the wrong files, manual removal is not for you. Luckily, the alternative removal method is much better, and we advise choosing it even if you are experienced and you are capable of eliminating the ransomware manually. This method calls for an authentic, automated malware remover capable of cleaning your PC from all kinds of infections. Although it might take some time for you to figure out what you want to do with your files, we advise initiating the removal process ASAP because this threat is dangerous.

JohnyCryptor Ransomware Removal

  1. Simultaneously tap Win+E to launch Explorer.
  2. Type %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and tap Enter to open this directory.
  3. Right-click and Delete the How to decrypt your files.jpg and How to decrypt your files.txt files.
  4. Also Delete the executable with the random name (take note of this name).
  5. Type %WINDIR%\System32 (or %WINDIR%\SysWOW64 if you run 64-bit Windows version) into the address bar and tap Enter on the keyboard to open this directory.
  6. Right-click and Delete the executable that has the same random name of the file in the previous directory.
  7. Restart the computer.
  8. Install a malware scanner to check if you have successfully eliminated every single trace of this infection.
Download Spyware Removal Tool to Remove* JohnyCryptor Ransomware
  • Quick & tested solution for JohnyCryptor Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.