Threat Database Ransomware JohnyCryptor Ransomware

JohnyCryptor Ransomware

By CagedTech in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 153
First Seen: May 26, 2016
Last Seen: September 25, 2022
OS(es) Affected: Windows

The JohnyCryptor Ransomware is an encryption ransomware Trojan that poses a real threat to computer users. The JohnyCryptor Ransomware encrypts the victim's files, replacing their extensions with an identification number and an AOL email for the JohnyCryptor Ransomware. The files encrypted by the JohnyCryptor Ransomware cannot be decrypted without access to the decryption key. Unfortunately, this is how the JohnyCryptor Ransomware operates, holding the victim hostage by withholding the decryption key until the victim pays a ransom of several hundred dollars. The JohnyCryptor Ransomware ransom is paid through BitCoins.

The best way to recover from a the JohnyCryptor Ransomware attack is to erase the contents of the infected hard drive and restore it from a backup. If this is not possible, some computer users have found limited success by using decryption utilities. However, computer users may not be able to recover their files without the decryption key or a backup copy. Computer users should avoid paying the JohnyCryptor Ransomware's ransom since this allows con artists to continue creating these attacks. A reliable backup solution will cost a fraction of what it would recover from these attacks.

How the JohnyCryptor Ransomware may Invade Your Computer

The JohnyCryptor Ransomware is distributed using methods commonly seen in threat attacks, mainly corrupted spam email attachments and links. The JohnyCryptor Ransomware can be distributed through attack websites and file sharing networks, included inside popular Torrents. Once the victim is exposed to one of these infection sources, the JohnyCryptor Ransomware infects the victim's computer and begin encrypting the victim's files. The best way to prevent these attacks is to ensure that your computer is protected with a reliable security application that is fully up-to-date. Computer users should avoid file sharing networks and opening unsolicited email messages, attachments, and embedded links to prevent the JohnyCryptor Ransomware from being installed.

Unraveling the JohnyCryptor Ransomware Attack

Once the JohnyCryptor Ransomware has entered a computer, it begins encrypting the victim's files. The JohnyCryptor Ransomware scans the victim's drives for files that have certain file extensions. Common file types that the JohnyCryptor Ransomware and other encryption ransomware Trojans tend to target in their attacks include:

.sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt.

After encrypting the victim's files, the JohnyCryptor Ransomware drops ransom notes to alert the victim of the attack. These files tend to take the form of HTML and TXT files dropped in directories where the JohnyCryptor Ransomware has encrypted files. The JohnyCryptor Ransomware also appends an email address and a numeric identifier to each file that was encrypted, prompting computer users to email this address for further information. The JohnyCryptor Ransomware's ransom notes contain information on how to pay the JohnyCryptor Ransomware's ransom and how to connect the Dark Web and purchase BitCoins to do this.

SpyHunter Detects & Remove JohnyCryptor Ransomware

File System Details

JohnyCryptor Ransomware may create the following file(s):
# File Name MD5 Detections
1. johnyy.exe 493b260b3d1745fa1b1ec06dbd974ea7 48
2. mesa1.exe 53186427569d79d1bbf778d77247a215 15
3. johnyy.exe 085a912877be08593adfec50b7ba64b6 15
4. johnyy.exe 5740a96cf29d42cf951348e5c9fc9cb6 12
5. johnyy.exe 7896a94260e61c4612b1aec41c820328 8
6. johnyy.exe b70e6b993b77150a5a35d949333ac4cf 5
7. file.exe 423c414fe65718b47ad191d018a3e0a0 0

1 Comment

To anyone reading this that decides to pay the ransom to - I just paid $1500 worth of BTC to this a-hole and he now screwed me and wants 8btc (about $5500)!
Lesson learned:

I hope this helps someone out there.


Most Viewed