{
	"id": "795b0810-057d-454c-892b-c527b3099f58",
	"created_at": "2026-04-06T00:06:42.046705Z",
	"updated_at": "2026-04-10T13:11:42.227636Z",
	"deleted_at": null,
	"sha1_hash": "41562e62f65c5866d8c743f0916f66a49cb33bc1",
	"title": "Spotted: JobCrypter Ransomware Variant With New Encryption Routines, Captures Desktop Screenshots",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1038927,
	"plain_text": "Spotted: JobCrypter Ransomware Variant With New Encryption\r\nRoutines, Captures Desktop Screenshots\r\nArchived: 2026-04-02 11:49:49 UTC\r\nA variant of JobCrypter ransomware was observed using new routines for encryption and features the ability to\r\nsend a screenshot of the victim’s desktop to an email address. Aside from encrypting files twice, the ransom note\r\nis unconventionally found in the same encrypted file. Trend Micro machine learning and behavioral detection\r\ntechnology has proactively blocked this variant of JobCrypter at the time of discovery.\r\nRoutine\r\nThe new sample of JobCrypter (detected by Trend Micro as RANSOM.WIN32.JOBCRYPTER.THOAAGAI) was\r\nobserved in the wild, reportedly seen on a suspected compromised website. While the malware's installation and\r\nlaunch procedures are similar with the 2017 attacks, this sample adds a routine that sends a screenshot of the\r\nvictim’s desktop and system information to an email address via SMTP. It also deletes the registry it created,\r\nHKCU\\Software\\MOI.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots\r\nPage 1 of 6\n\nFigure 1. JobCrypter’s new routine includes capturing screenshots of the infected unit’s screen.\r\nFigure 2. The malware sends the desktop screenshot and system information to an email address.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots\r\nPage 2 of 6\n\nFigure 3. JobCrypter’s network activity. According to analysis, the information sent to the email address includes\r\nthe system’s running processes, volume serial number, machine name, and the 67-digit encryption/decrypter key.\r\nThe wallpaper of the infected machine changes to include the ransom note and a display box for the\r\ncybercriminal’s ransom demand and instructions.\r\nFigure 4. Desktop wallpaper is changed to the ransom note.\r\nA display box also appears with a text box and a button that reads “Unblock my files,” as well as a link that says\r\n“Don’t have a password? Click here.” When clicked, it opens %Desktop%\\Comment débloquer mes fichiers.txt via\r\nnotepad. Should the user of the infected machine have the decrypting key — found in the registry\r\nHKCU\\Software\\MOI before deletion — the ransomware will use the input text to decrypt %User\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots\r\nPage 3 of 6\n\nProfile%\\ntuser.ini.css. If successful, it will continue decrypting all the files with the .css extension, delete the\r\nregistries it created including the autostart registry, the files it dropped, and the malware itself. If not, another\r\nmessage box will appear with the text “Mot de passe invalide” or “Invalid password”.\r\nFigure 5. The message displayed also says “All your files are encrypted. Don’t have a password? Click here” and\r\n“Unblock my files” button.\r\n[Read: JavaScript malware in spam spreads ransomware, miners, spyware, wormnews- cybercrime-and-digital-threats]\r\nThis ransomware variant has a few unique routines. Once it finds a file, it encodes all the file’s content to Base64\r\nand encrypts the encoded content with Triple DES algorithm, and then encodes the encrypted file again to Base64.\r\nIt also prepends the ransom note with the encrypted file instead of dropping another file in the system as most\r\nransomware routines do before it finally deletes the original file in the drive. All the encrypted files are changed to\r\n.css extension.\r\nFigure 6. The malware encodes the file content to Base64.\r\nFigure 7. The encoded file is encrypted with Triple DES then further encoded.\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots\r\nPage 4 of 6\n\nFigure 8. The ransom note is found in the encrypted file, and the original file is deleted from the drive.\r\nThe ransom note demands a payment of €1,000 within 24 hours to get the decrypter. The key is made of 67 digits\r\nof random numbers between 0 to 9 – found in the registry and body of the sent email – but is deleted by the\r\nmalware itself during encryption of the files. Since the key used in encrypting the files was in the system prior to\r\ndeletion, decryption is possible. Experienced cybersecurity practitioners will notice and know that while the\r\nroutine is unconventional, the ransom note always ends in “;” and is prepended before the encrypted file content,\r\nmaking it possible to recover important data files.\r\n[Read: Ransomware MongoLock immediately deletes files, formats backup drivesnews- cybercrime-and-digital-threats]\r\nJobCrypter was among the new ransomware families that affected thousands of businesses and individuals in early\r\n2017. We can expect cybercriminals to continue exploring and combining new techniques with old malware and\r\ntools to infiltrate systems for profit. These best practices can help defend against this threat:\r\nRegularly download updates and patches from legitimate vendors.\r\nInstall a multi-layered security solution that can scan and block malicious URLs.\r\nPractice the 3-2-1 system for backing up your files.\r\n Indicators of Compromise\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots\r\nPage 5 of 6\n\nWith additional insights from Raphael Centeno and Warren Sto. Tomas\r\nHIDE\r\nLike it? Add this infographic to your site:\r\n1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your\r\npage (Ctrl+V).\r\nImage will appear the same size as you see above.\r\nSource: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encr\r\nyption-desktop-screenshots\r\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots\r\nPage 6 of 6\n\nhttps://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots     \nFigure 1. JobCrypter’s new routine includes capturing screenshots of the infected unit’s screen.\nFigure 2. The malware sends the desktop screenshot and system information to an email address.\n   Page 2 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots"
	],
	"report_names": [
		"jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots"
	],
	"threat_actors": [],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775826702,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/41562e62f65c5866d8c743f0916f66a49cb33bc1.pdf",
		"text": "https://archive.orkl.eu/41562e62f65c5866d8c743f0916f66a49cb33bc1.txt",
		"img": "https://archive.orkl.eu/41562e62f65c5866d8c743f0916f66a49cb33bc1.jpg"
	}
}