I wrote this article to help you remove JohnyCryptor Ransomware. This JohnyCryptor Ransomware removal guide works for all Windows versions.

The purpose of viruses like JohnyCryptor ransomware is to raise proceeds for their developers. This type of infection is called a win-locker. The clandestine program uses an encryption algorithm to lock most files on the hard drive. Upon doing so, it notifies the victim of its actions and states its demands. The hackers behind JohnyCryptor ransomware ask for a certain sum to restore the accessibility. They state that the only way to have your data recovered is with the use of a unique decryption key. Paying the cyber criminals is not advised. You should look for an alternative way to restore your private files.

JohnyCryptor ransomware has a malicious agenda. The insidious program starts encrypting files upon penetrating a computer. This process happens on the background or when the machine is powered off. JohnyCryptor ransomware uses a combination of AES CBC 256-bit and RSA-2048 ciphers to perform the encryption. The nefarious program targets documents, photos, databases, archives, audios, videos, system components and other file types. Upon completing the encryption, JohnyCryptor ransomware drops a ransom note on the desktop. In addition, the background is reset to a custom wallpaper which contains the same message.

The ransom note is titled “How to decrypt your files.txt”. It tells the user what he has to do to request the decryption key. You will have to contact the developers of JohnyCryptor ransomware. Their email address is JohnyCryptor@aol.com. If you do not receive a response within 24 hours, you will have to send a message to the alternative address of the cyber criminals: JohnyCryptor@india.com. People do not have much time to react. The private key is stored on a remote command and control server for 7 days. The entire process of contacting the hackers, transferring the sum and waiting for a confirmation can take a while. Users have to act fast. This benefits the renegade developers. The less time a person has to make a decision, the more likely he is to succumb to the pressure.

Contacting a win-locker is stressful enough in its own right. You will discover that your personal files have become inaccessible. JohnyCryptor ransomware rearranges their code schemes and adds a suffix to their names. It contains an ID number which you have to list in the letter. The win-locker generates the appendix using the following formula: .id-[8 hexadecimal characters].Johnycryptor@aol.com.xtbl. JohnyCryptor ransomware also requires the user to attach 3 encrypted files which should be no more than 2 MB in size. The reply to your email will provide full instructions on the payment process. The hackers ask users to pay in bitcoins. This cryptocurrency accommodates identity protection. Since the transaction is unregulated, the recipients are not formally committed to fulfill an obligation. They can choose not to complete their end of the deal without consequence.

JohnyCryptor ransomware is spread through a couple of propagation vectors, known as dark patterns. The most common technique is spam emails. The furtive program lurks behind attachments, listed as important documentation. The sender can introduce himself as a representative of a genuine company or entity, like the national post, the local police department, a government branch, a bank, a shopping platform, a social network, a courier firm, etc. To proof the reliability of a given message, look up the sender’s contacts. He should have written from an official account of the organization in question.

The other distribution method is called a drive-by installation. It is initiated when opening a corrupted website or following a compromised link. One click is enough for JohnyCryptor ransomware to enter your computer. You need to be cautious about your sources. Do your research on unfamiliar websites. Make sure a given link comes from a reliable person before clicking on it. Keep in mind that hackers can break into people’s online accounts. Even if the sender is an acquaintance of yours, the link could still be dangerous. If you are not expecting a link, contact the person to make sure he has sent it.

JohnyCryptor Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, JohnyCryptor Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since JohnyCryptor Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete