CryptoJoker (Virus Removal Guide)
CryptoJoker
CryptoJoker is the name of a new variation of ransomware that encrypts your personal data using AES-256 encryption and then demands a ransom in bitcoins in order to get your files back.
The installer for CryptoJoker ransomware will typically be disguised as a PDF file. This suggests that this ransomware is most likely distributed through various email phishing campaigns as a downloadable attachment.
CryptoJoker ransomware will download or generate multiple executables in the %Temp% folder and one in the %AppData% folder. The executable files are used to perform various tasks. Some executable files are designed to send information to the Command & Control server at this path: erver6.thcservers.com
This ransomware will encrypt your personal data. The ransomware will scan all of your drives, including mapped network drives to locate files with certain extensions that it can encrypt. When it finds a file extension that it is compatible with it will encrypt the file and change the filename so it has a .crjoker extension appended to it. For example, Botcrawl.png would become Botcrawl.png.crjoker.
List of extensions that CryptoJoker ransomware targets and encrypts:
.txt, , .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .db, .docm, .sql, .pdf
CryptoJoker will send information such as the date, your hostname, your username, and the name of your computer to the Command & Control server located at server6.thcservers.com while it encrypts your files. It will also create a batch file in the %Temp% folder called new.bat which it uses to execute different commands. These commands remove Shadow Volume Copies and disable Windows automatic startup repair. These commands essentially make it impossible to use shadow volumes in order to recover your personal files encrypted by this ransomware.
List of commands that are executed:
vssadmin.exe Delete Shadows /All /Quiet bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures vssadmin.exe delete shadows /all /quiet
Once the encryption process is complete and CryptoJoker has performed all of it’s necessary tasks it will display a small window that will stay on top of your open applications unless you terminate the %Temp%\WinDefrag.exe process. The window contains instructions in English and Russian. The instructions claim that the victim must email file987@sigaint.org, file9876@openmail.cc, or file987@tutanota.com in order to obtain payment instructions. It also says that you must include an RSA encrypted string of text that is presented in the small window as well, which is read from %Temp%\README!!!.txt. The CryptoJoker developer will then respond with the amount of the ransom and other instructions to pay the ransom.
CryptoJoker files
%Temp%\crjoker.html %Temp%\drvpci.exe %Temp%\GetYouFiles.txt %Temp%\imgdesktop.exe %Temp%\new.bat %Temp%\README!!!.txt %Temp%\sdajfhdfkj %Temp%\windefrag.exe %Temp%\windrv.exe %Temp%\winpnp.exe %AppData%\dbddbccdf.exe %AppData%\README!!!.txt22
CryptoJoker Registry Entries
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winpnp %Temp%\winpnp.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvpci %Temp%\drvpci.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windefrag %Temp%\windefrag.exe
How to remove CryptoJoker (Virus Removal Guide)
1. Download and Install Malwarebytes Anti-Malware software.
2. Open Malwarebytes and click the Scan Now button or go to the Scan tab and click the Start Scan button.
3. When the Malwarebytes scan is complete click the Remove Selected button.
4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.
5. Download and Install HitmanPro by Surfright.
6. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.
7. When the HitmanPro scan is complete click the Next button.
8. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.
9. Click the Reboot button.
How to recover files encrypted by CryptoJoker
At this time there is no procedure to decrypt files encrypted by the CryptoJoker virus. It deletes shadow volume copies which a makes this a daunting task. However, you can try a few products used to decrypt files and recover files just in case things have changed by the time you read this: