JS.Crypto Ransomware Removal Guide

Do you know what JS.Crypto Ransomware is?

JS.Crypto Ransomware is a serious infection that might enter your system and make your files useless. Even though JS.Crypto Ransomware acts like other existing ransomware infections, our experts have managed to find out that this threat is unique in a sense that it is based on the open-source product NW.js (a framework to develop applications for Windows, Linux, and MacOS X). At the time of writing, JS.Crypto Ransomware spreads among Windows users; however, specialists say that it might affect systems with Linux and MacOS X in the future too because it uses JavaScript. Users who encounter JS.Crypto Ransomware immediately notice that they cannot access their files, so we believe that it is impossible not to notice that this threat has slithered onto the computer. Do not panic if this has happened because it is possible to remove JS.Crypto Ransomware. Unfortunately, it is not so easy to gain access to files stored on PC.

Our security specialists say that all users have to be very cautious no matter they use Windows, Linux, or MacOS X because it has been observed that some people decide to distribute JS.Crypto Ransomware themselves. They simply find an administration panel on the TOR network, provide the Bitcoin address, and can even configure the parameters of malware, e.g. whether or not it will lock the computer, a number of Bitcoins it will ask, and the time given for users to pay a ransom. After they are finished with that, they click the Download client.scr button and get the actual malware whose size is usually 22MB. The size of this malicious software differs from the size of other existing ransomware infections (their average size is 1MB). The difference is probably so notable because JS.Crypto Ransomware uses the .js file.JS.Crypto Ransomware Removal GuideJS.Crypto Ransomware screenshot
Scroll down for full removal instructions

If JS.Crypto Ransomware manages to reach your system, it will encrypt pictures, music, videos, and documents within seconds. Our researchers say that it will not add any specific filename extension to encrypted files; however, there is no doubt that it is aimed at files that have such extensions as .xml, .ses, .dat, .wma, .ra, .avi, .msg, .rtf, .pmd, .cs, .mdb, .pdb, .sql, .mp4, .3gp, .mov, .ppt, .pot, .doc, .docx, .docm, .aet, .ppj, .psd, .indt, .pptx, and a bunch of others. As you can see, it touches the majority of files. It does not encrypt those that are located in directories containing the following strings only:

  • :\windows\
  • :\winnt\
  • programdata\
  • boot\
  • temp\
  • tmp\
  • $recycle.bin\

The threat will not only encrypt all the files, but it will also place a screen-sized message on the screen. If you see such or a similar message (see below), there is no doubt that you have encountered JS.Crypto Ransomware.


All your data (photos, documents, databases, etc.) have been encrypted with a private and unique key generated for this computer. This means that you will not be able to access your files anymore until they are decrypted. The private key is stored in our servers and the only way to receive your key to decrypt your files is making a payment.

The payment has to be done in Bitcoins to a unique address that we generated for you. Bitcoins are a virtual currency to make online payments. If you don’t know how to get Bitcoins, you can click the button “How to buy Bitcoins bellow and follow the instructions.

If you already see such a message on your screen, you have probably also noticed that you are given a limited time to make a payment. It is said that a payment will rise after 3 days. In addition, all the files will be deleted irreversibly after 6 days. In order to convince users to make a payment, JS.Crypto Ransomware promises to decrypt one file for free. Of course, you will have to pay a ransom of 0.1 Bitcoins (approx. $35) in order to gain access to the remaining files. It is up to you whether to do that; however, we suggest that you do not pay money to cyber criminals if you have a backup of your files on some kind of external hard drive.

In order to reduce the possibility of infecting your system with JS.Crypto Ransomware, you have to know how it is distributed. Our specialists have managed to find out that JS.Crypto Ransomware might enter the system if you click on a bad link, download an unreliable program from a questionable source, or simply open an attachment in a spam email. JS.Crypto Ransomware comes as a client.scr file (WinRAR self-extracting archive). After a user clicks on this file, all the major files of JS.Crypto Ransomware are extracted to the %Temp% directory and %AppData%\Chrome Browser, which is considered to be the MAIN directory. Below is provided a list of files that this WinRAR archive contains:

  • chrome
  • chrome.exe
  • ffmpegsumo.dll
  • rundll32.exe
  • s.exe
  • g
  • msgbox.vbs
  • u.vbs

In order not to disappear after the PC reboot and thus be able to start together with Windows, JS.Crypto Ransomware adds the ChromeService.lnk file to %AppData%\Microsoft\Windows\Start Menu\Programs\Startup as well.

Unfortunately, the removal of JS.Crypto Ransomware will not help you to decrypt files because it uses the AES encryption with a 128 bit key; however, it is still very important to delete JS.Crypto Ransomware completely because this infection might encrypt your new files too. You should use instructions provided below for this matter. As you can see, you have to kill the chrome.exe process first in order to remove the warning message. Secondly, you will have to unhide files and folders, and finally, delete files and directories that belong to JS.Crypto Ransomware.

Delete JS.Crypto Ransomware

Remove the warning message

  1. Tap Ctrl+Shift+Esc simultaneously.
  2. Open the Processes tab and locate the chrome.exe process.
  3. Right-click on it and then click End Process.

Display hidden files and folders

Windows XP

  1. Open Folder Options in Control Panel (it is available in the Start menu).
  2. Open the View tab.
  3. Click Show hidden files and folders.
  4. Clear the Hide protected operating system files (Recommended) checkbox.

Windows 7/Vista

  1. Click the Organize button in any folder.
  2. Select Folder and search options from the menu.
  3. Open the View tab.
  4. Mark Show hidden files and folders.
  5. Remove the checkbox from Hide protected operating system files (Recommended).

Windows 8/8.1/10

  1. Open the File Explorer and click on the View tab to open it.
  2. Select Options and click Change folder and search options.
  3. Open the View tab.
  4. Enable Show hidden files and folders.
  5. Remove the tick from Hide protected operating system files (Recommended).

Delete files and directories

  1. Tap the Windows key + R (launch RUN).
  2. Enter %AppData% in the box and click OK.
  3. Locate the Chrome Browser directory and delete it.
  4. Launch RUN again and enter %AppData%\Microsoft\Windows\Start Menu\Programs\Startup .
  5. Locate ChromeService.lnk. Right-click on it and select Delete.

In non-techie terms:

After you delete JS.Crypto Ransomware manually, do not forget to scan your system with an automatic malware remover too because other threats might be silently hiding on your system. We suggest using SpyHunter for this matter. You should use it too if you cannot erase JS.Crypto Ransomware manually or simply want to protect your system from similar future threats.