Home » Blog » Cybersecurity » CryptoJoker (Virus Removal Guide)

CryptoJoker (Virus Removal Guide)


CryptoJoker is the name of a new variation of ransomware that encrypts your personal data using AES-256 encryption and then demands a ransom in bitcoins in order to get your files back.


The installer for CryptoJoker ransomware will typically be disguised as a PDF file. This suggests that this ransomware is most likely distributed through various email phishing campaigns as a downloadable attachment.

CryptoJoker ransomware will download or generate multiple executables in the %Temp% folder and one in the %AppData% folder. The executable files are used to perform various tasks. Some executable files are designed to send information to the Command & Control server at this path: erver6.thcservers.com

This ransomware will encrypt your personal data. The ransomware will scan all of your drives, including mapped network drives to locate files with certain extensions that it can encrypt. When it finds a file extension that it is compatible with it will encrypt the file and change the filename so it has a .crjoker extension appended to it. For example, Botcrawl.png would become Botcrawl.png.crjoker.

List of extensions that CryptoJoker ransomware targets and encrypts:

.txt, , .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .db, .docm, .sql, .pdf

CryptoJoker will send information such as the date, your hostname, your username, and the name of your computer to the Command & Control server located at server6.thcservers.com while it encrypts your files. It will also create a batch file in the %Temp% folder called new.bat which it uses to execute different commands. These commands remove Shadow Volume Copies and disable Windows automatic startup repair. These commands essentially make it impossible to use shadow volumes in order to recover your personal files encrypted by this ransomware.

List of commands that are executed:

vssadmin.exe Delete Shadows /All /Quiet
 bcdedit.exe /set {default} recoveryenabled No
 bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
 vssadmin.exe delete shadows /all /quiet

Once the encryption process is complete and CryptoJoker has performed all of it’s necessary tasks it will display a small window that will stay on top of your open applications unless you terminate the %Temp%\WinDefrag.exe process. The window contains instructions in English and Russian. The instructions claim that the victim must email file987@sigaint.org, file9876@openmail.cc, or file987@tutanota.com in order to obtain payment instructions. It also says that you must include an RSA encrypted string of text that is presented in the small window as well, which is read from %Temp%\README!!!.txt. The CryptoJoker developer will then respond with the amount of the ransom and other instructions to pay the ransom.

CryptoJoker files


CryptoJoker Registry Entries

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winpnp %Temp%\winpnp.exe
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvpci %Temp%\drvpci.exe
 HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windefrag %Temp%\windefrag.exe

How to remove CryptoJoker (Virus Removal Guide)

1. Download and Install Malwarebytes Anti-Malware software.

2. Open Malwarebytes and click the Scan Now button or go to the Scan tab and click the Start Scan button.

3. When the Malwarebytes scan is complete click the Remove Selected button.

4. To finish the Malwarebytes scan and remove detected threats click the Finish button and restart your computer if promoted to do so.

5. Download and Install HitmanPro by Surfright.

6. Open HitmanPro and click Next to start scanning your computer. *If you are using the free version you may chose to create a copy or perform a one-time scan.

7. When the HitmanPro scan is complete click the Next button.

8. To activate the free version of HitmanPro: enter your email address twice and click the Activate button.

9. Click the Reboot button.

How to recover files encrypted by CryptoJoker

At this time there is no procedure to decrypt files encrypted by the CryptoJoker virus. It deletes shadow volume copies which a makes this a daunting task. However, you can try a few products used to decrypt files and recover files just in case things have changed by the time you read this:

Lead Editor

Jared Harrison is an accomplished tech author and entrepreneur, bringing forth over 20 years of extensive expertise in cybersecurity, privacy, malware, Google Analytics, online marketing, and various other tech domains. He has made significant contributions to the industry and has been featured in multiple esteemed publications. Jared is widely recognized for his keen intellect and innovative insights, earning him a reputation as a respected figure in the tech community.

More Reading

Post navigation

Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

How to remove file extension virus

How to remove Thor (Virus Removal Guide)

How to remove Rotor (Virus Removal Guide)