JS.Crypto Ransomware Removal Guide

JS.Crypto Ransomware is a real nightmare for all computer users because it is a one-of-a-kind Trojan infection that uses JavaScript, for the first time in the history of ransomware, to encrypt your personal files (documents, videos, images, databases, and more); therefore, it can be tweaked to infect Mac OS and Linux as well. As of yet, it has only been found to affect Windows operating systems, but with time it is possible that schemers will find a way to attack the other operating systems as well. Another danger factor regarding this Trojan is that there is not one cyber criminal or a single team behind it since it is actually offered as a service on an underground Tor site where basically anyone who has a Bitcoin address can have their own customized ransomware generated. Therefore, there can be hundreds or thousands of schemers trying to extort money from unsuspecting users by infecting them with a variation of this dangerous Trojan ransomware. Since it is a relatively new infection, there are no free tools available to decrypt the files, which simply means, if you have no backup files saved on an external drive, you may have lost them forever. You can choose to pay the ransom fee, but you should not forget that you are dealing with criminals here and therefore there is a good chance that you will get nothing in return. We strongly advise you to remove JS.Crypto Ransomware as soon as you realize you have been hit by this monster, even if this will not bring back your personal files.

As we have already mentioned, the source of this Trojan is an underground website where anyone can apply for a customized copy of JS.Crypto Ransomware who has a Bitcoin address. By the way, Bitcoin is a digital currency that was created for secured anonymous money transfers. After setting up a number of parameters, a 22Mb self-extracting WinRAR archive will be generated with the name of client.scr. It can be downloaded then and distributed as wished. Another unique fact about this ransomware is that its size is way bigger than the usual size ransomware developers tend to use, which is most often less than 1Mb.

Since there may be a great number of schemers spreading this Trojan infection, it can basically sneak onto your computer in a number of ways. One of the most common methods of distribution for these infections is the use of spam e-mails. The Trojan will be dropped and activated when you click on a link in the body of the mail or an attachment, which is usually an image or video file. Therefore, it is only natural that you should never open spam e-mails no matter how tempting and misleading they may be. It is also likely that the sender of these mails will look something authentic or even someone from your contact list. Remember to only open e-mails and their attachments if you are certain that they were meant for you. This way you could actually nip this infection in the bud.

Another way for JS.Crypto Ransomware to appear on your PC requires you to visit questionable or suspicious websites, such as freeware and torrent sites, not to mention websites with pornographic content. If you click on links or third-party ads on these sites, chances are you infect your machine with this Trojan. What’s worse, you may download a whole package of malware infections, although, most probably this ransomware will be the most damaging one among them. It is also possible to download this Trojan if your computer is infected with malware, such as adware, and you click on an unreliable third-party ad generated by it while surfing the web. In any case, a powerful antimalware program could easily filter out these threats before they could land on your computer. If you are in doubt regarding the number of threats endangering your operating system, we recommend that you run a malware scan to see what you are up against. But you must remove JS.Crypto Ransomware first becaue that is most likely the biggest danger right now.

Once this ransomware activates, it self-extracts to the %Temp% directory. Then it copies all the files to its main folder, which you can find at %AppData%\Chrome Browser. This Trojan uses a number of files to operate through, including a fake chrome.exe, which is in fact an NW.js package file that contains the JavaScript code for the encryption of your files and for displaying the ransom note. This malware infection also creates a shortcut in the Startup folder to make sure that it starts up with Windows every time you restart it.

This Trojan attacks a great number of file extensions, including .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wav, .mp3, .aif, .iff, .m3u, .m4u, .avi, .mov, .mp4, .3gp, .mpeg, to mention a few. This ransomware uses the AES encryption system with a 128-bit key that is generated for every single file and the key then gets encrypted by the RSA algorithm. The encrypted AES key and data are stored inside the encrypted file.

When the job is done, this ransomware will display the locker screen or ransom note, which can either be in English or Spanish. This alert window informs you about the shocking fact that your files have been encrypted and that you have to pay a certain amount, which is usually around 1 Bitcoin ($433 dollars approximately). You will also find instructions regarding the payment method since not everyone is familiar with Bitcoin and how to use it. You will be given 4 days to settle the amount or the fee will increase. If you do not pay within 7 days, your private key, which is stored on a remote server, will be deleted and you will never be able to see your files again. This will also happen if you try to remove this lock screen or temper with the encrypted files, which is a usual threat that criminals use to scare the users. You will be given the chance to decrypt one file for free so that you see that the decryption exists and it works, too. Although it may be tempting for you to pay these criminals to get your files back, we do not recommend that you do so because there is really no guarantee that you will actually get the decryption key for all your files.

Unfortunately, if you have not made backup copies of your files on an external HDD or pendrive, you will most probably lose them. But even so, you must remove JS.Crypto Ransomware because you cannot be safe until it is on board and your computer is useless this way anyway. It is possible that you can delete the necessary folder and file right now, but since this Trojan can vary depending on its creator, it is also possible that you need Safe Mode with Networking to be able to perform these steps. That is why we have included manual instructions for you with this possibility in mind so that you can eliminate this dangerous threat. However, you must keep in mind that even if you delete all the necessary files, there might remain some mess or leftovers, not to mention the other possible threats on your computer. Therefore, we advise you to download and install a trustworthy antimalware application that will also keep your PC safe from further attacks.

Restart in Safe Mode with Networking

Windows XP, Windows Vista, and Windows 7

1. Restart your operating system and keep tapping the F8 key on your keyboard.
2. Select Safe Mode with Networking from the menu and hit the Enter key on your keyboard.

Windows 8, Windows 8.1, and Windows 10

1. Press Win+I and click on the Power icon.
2. While pressing and holding the Shift key down, click on Restart.
3. Choose Troubleshoot.
4. Select Advanced Options.
5. Choose Startup Settings.
6. Click Restart.
7. Tap F5 to restart your system in Safe Mode with Networking.

Display hidden items in Windows File Explorer

Windows 8, Windows 8.1, and Windows 10

1. Press Win+E simultaneously.
2. Click on the View menu and tick the Hidden items checkbox.

Windows Vista/Windows 7

1. Press Win+E.
2. Click on the Organize button and choose Folder and search options from the menu.
3. Click on the View tab.
4. Mark Show hidden files and folders.
5. Click OK.

Windows XP

1. Press Win+E and choose the Tools menu.
2. Select Folder Options and click on the View tab.
3. Mark Show hidden files and folders and click OK.

Remove JS.Crypto Ransomware

1. Press Win+E to open Windows Explorer.
2. Locate and remove this folder: %AppData%\Chrome Browser.
3. Locate this directory: %AppData%\Microsoft\Windows\Start Menu\Programs\Startup.
4. Find and delete this file: ChromeService.lnk
5. Restart your computer in Normal Mode.