This article aims to help people decrypt JobCrypter ransomware. If you found your files having .locked extension, then you can use JobCrypter decrypter to decrypt them for free.
Here is another recent trojan-ransomware infection, and it is necessary to remove JobCrypter before it fully executes, if possible. The trojan element enters a system covertly, calls to a server for the ransomware to enter, which then starts to encode user files, executing from a file created in %AppData%. When finished, it puts a ransom .txt note up on the screen which demands a payment (100 – 300 Euros by PaySafeCard) in return for the key. As proof of the key – and to help make payment arrangements easier – subsequent steps are to be performed by e-mail with the offer to decrypt one file free. By this time, most user files will have the extension .locked. The is key stored in the infected system though only for a short time during encryption, making it possible to recover files if the malware is noticed in time (see below). If not, then this ransomware must be dealt with like many similar types and file recovery attempted (like most ransomware, this one seeks to destroy shadow volume copies to prevent files being reinstated). First, it is important to note how an infection like this breaches a system.
It is reported so far that this ransomware is distributed by fake e-mail that conceals the first executable file. These are at present skillfully mocked-up communications purporting to be from local government agencies concerning financial or community issues, &c. The user is enticed to open the text that either contains a macro or an attachment that releases the trojan. For an overview of safe ways to deal with suspect ‘mail, see below. The other possible ways of contracting this malware are: when browsing and encountering a hacker’s exploit kit (EK) that takes advantage of a system or app vulnerability, allowing trojan access; the download and installation of a freeware bundle that wasn’t examined; being manually hacker by an insecure network or remote desktop connection, or even by using a contaminated external device that has the infection. It is far easier to avoid JobCrypter entering an operating system than to clean up the mess.
One thing of interest: writers have stated that the ransom note language is generic and that the only difference is that it is in the French tongue (to specifically target people of that country). This is incorrect – it doesn’t have the similarity of tone or arrogance of preceding ransomware. The text seems almost like an apology, or an explanation with some social conscience behind the words, and almost to be appealing to the victim’s sense of social justice:
“Hello, we are human beings without jobs, not looking for problems, (we) just want to feed our families,”
(“Bonjour, nous somme des êtres humains sans emplois, en cherche pas les problèmes, en veux juste nourrir nos familles,” )
Of course, no-one can condone any data-ransom, though it is an interesting departure from the norm of extortion-ware language. Also worth noting is the nom de guerre/de plume chosen for the e-mail contacts: ‘geniesanstravaille@… which translates as either ‘genie (as in Arabian folklore) or genius – without work’…
Detecting and dealing with JobCrypter
As system scans by many security applications unfamiliar with new variants tend not to detect the trespassers, it is necessary for the user to know what to watch for. Noticeable indications of trojan-ransomware are slowing of running speed (caused by CPU usage of malware) and possible program crashes/screen-freezes; increased (unauthorized ) internet connection and port use (the invader trying to ‘phone home); changes in file extensions (to .locked); slower boot-up time. If any of these things are observed, disconnect from all internet and wireless connections, including networking. Disconnection can prevent decryption if the ransomware hasn’t yet made contact and started the process (though makes no difference if this is underway). If files have been found to have changed, back up all untouched files to an external device, then search for the key…
The way to decode encrypted files – if the user is able to detect JobCrypter and retrieve the key before encryption is complete. It has been reported that encryption can take as little as 20 minutes for all files to be .locked, though this of course depends on the system and file volume, and other reports are of this taking much longer. The decryption key is temporarily stored in the Windows Registry and will appear in HKCU\Software and be named Code. By clicking on it, a 20 character key will be revealed and should be recorded. This should be entered on the relevant ransom screen box that will be presented AFTER decryption is completed (so that the malware can delete its file from the Registry first, and continue to think that it is in control). If this is successful, follow the instructions below to totally remove JobCrypter. If the situation is too late, then remove the malware and attempt to recover files using Shadow Explorer (in some service packs or available at windows.microsoft.com) in shadow volume copies, or by using Windows Previous Versions. After getting rid of JobCrypter, think about how to prevent further infections.
How to decrypt JobCrypter .locked files
Please, follow the steps below to decrypt .locked files:
Step 1: Download the free JobCrypter decrypter from here: http://www.pandasecurity.com/resources/tools/pandaunransom.exe
Step 2: Double-click on pandaunransom.exe .
Step 3: Click “Agree” to accept the License agreement.
Step 4: Click “Select folder” button to select a folder, containing .locked files.
Step 5: Click “Start” button to begin the decryption process. Please, keep in mind that this may take long (even days). So make sure your PC will not go in Sleep mode, and do not restart or turn-off the computer. When the decrypter finishes the decryption process, you should find all your files decrypted.
How to prevent JobCrypter
Working practice is one of the cornerstones of security. In this case, the ransomware is delivered through the opening of a fake e-mail – the solutions to this are obvious: delete ‘mail from unsolicited sources without opening it. If there is a need to scrutinize everything, then ‘mail can be read without opening by left-clicking it to reveal Properties and selecting View Source. After the coded headers, this will display any text and reveal any attachments/macros (though don’t think it is safe to use a browser’s Print Preview as some malware will execute in this mode). Turning of ActiveX macro function for Microsoft Office apps will add safety. For networks, there are Administrator restrictions that can filter ‘mail, and along with a good understanding of potential risks by all users, the system should be protected. To set privileges at the tightest levels to prevent unauthorized executable programs whilst still allowing the network to function will further strengthen the situation.
Remember the possible entry routes above and keep these to mind – especially the freeware installation route. A good firewall is necessary, preferably set to block all communication with TOR and I2P networks, and to disallow unauthorized port use (if ransomeware cannot communicate, it is disabled, in most cases). Make sure that the firewall covers all possible connections including remote access. Keep operating systems up-to-date and regularly check for patches. Keep the browser current also and set for maximum security and to disallow add-ons, plugins and extensions being added without prior examination. Make regular backups and store externally or in Cloud storage. Good security software kept current can help by carrying out periodic scans. With good practice and updated technology, this and other ransomware can be avoided.
Perhaps the linguistic work included in the text is an attempt to socially engineer the user – or to amuse malware commentators; or perhaps this really is a specimen piece of work by the author/actor/hacker – a high-profile advertisement made in the hope of landing a legitimate job? Either way, it’s ransomware and a travail to deal with – so prevent it!