Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


CryptoJacky Ransomware – Remove and Restore Your Data

This article will help you remove CryptoJacky ransomware absolutely. Follow the ransomware removal instructions at the end of the article.

CryptoJacky is a ransomware cryptovirus. After your files get encrypted, they will become inaccessible. Malware researchers have discovered that the AES encryption algorithm is being used for the locking the files. The CryptoJacky cryptovirus will leave a ransom note with demands for payment, which is written in Spanish. Keep on reading to see how you could try to potentially restore some of your data.

Threat Summary

Name CryptoJacky
Type Ransomware
Short Description The ransomware encrypts files on your computer and displays a ransom message afterward.
Symptoms The ransomware will encrypt your files and display a ransom message in the Spanish language after the encryption process is complete.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CryptoJacky

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss CryptoJacky.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoJacky Ransomware – Spread

CryptoJacky ransomware could spread its infection via different methods. The payload file that executes the malicious script for this ransomware, which in turn infects your computer system, is seen circling the Web space since a few days ago. Here is a sample with such a file, submitted to the VirusTotal service.

CryptoJacky ransomware might also distribute its payload file on social media and file-sharing networks. Freeware found on the Web can be presented as helpful but could also hide the malicious script for this cryptovirus. Don’t open files right after you have downloaded them, especially if they come from dubious sources like links and emails. Instead, you should scan them beforehand. Run a scan with a security tool, while also checking the size and signatures of the files for anything unusual. You should read the tips for ransomware prevention thread in the forum.

CryptoJacky Ransomware – Description

CryptoJacky ransomware is also a cryptovirus. The original name for it or the one found in its code is cryptoJacky v2.0, suggesting that this isn’t the first iteration of the ransomware. After your files get encrypted, a ransom message will show up. Judging by that message, it is presumable that the ransomware is targeted at Spanish speaking users, but it is not excluded to hit other ones, as well. Malware researchers have reported that the virus uses aescrypt.exe for its encryption process, which is basically the AES encryption algorithm.

CryptoJacky ransomware could make entries in the Windows Registry to achieve persistence, and even might launch and repress processes inside the Windows Operating System. Some entries are designed in a way that will start the virus automatically with each boot of Windows.

The ransom note will appear when the encryption process finishes. As discovered by the malware researcher Jiri Kropac, the note is written in the Spanish language and provides details about what the ransom price is, along with other instructions about what the ransomware developers want from you to recover your files. The note’s text is split into two messages, displayed in an error / notification windows. You can view the initial ransom message that loads after file encryption process, right here:

That is the first part of the message and it reads:

Ransom_ph! ha detectado actividad inmoral en sus hábitos online y/o en su equi- po, siendo así me he visto en la obligación de retener sus archivos personales. Si usted desea comprar la contraseña para recuperar el control de los mismos, sirva- se seguir las intrucciones cliqueando en el archivo “ransom-instructions” que se- rá creado en el escritorio para tal fin. Nota: son tres íconos los que se crearán, si alguno no apareciera, por favor haga click con el botón derecho del mousey seguidamente en actualizar.

The message states that some kind of illegal or immoral activity is being performed and that’s why your files are encrypted. The message points to the next file with the instructions for unlocking your files, called “ransom-instructions”.

The instructions file looks like this:

The text on it reads the following:

Para comprar la contraseña haga click en el ícono “ransom-payment”. Una vez abierto el link seleccione arriba del cuadro “list” y luego en la columna de la izquierda la opción con la que va a pagar, en la derecha seleccione bitcoins. Cliquee “Find the best rate”. Vaya a alguno de los sitios que aparecerán a la derecha y compre EUR 250 de bitcoins a la siguiente dirección (con click dere- cho y luego pegar será ingresada donde quiera): lH7YGm35zVJWU4GrqZ2nq4kDvXNfkwfhxd
Una vez hecho el pago hágamelo saber enviandome un correo a la siguiente dirección: ransom_ph@mail2noble.com
Siendo así, le será enviada la contraseña.
Haga click en “ransom of files” e ingrésela.-

The instructions for the CryptoJacky ransomware state that your files are encrypted and that you need to pay a ransom of 250 euros to get them back. You are given an email address for contact and a Bitcoin address for where to send the payment. You should NOT in any circumstance pay the cybercriminals. Your files may not get restored, and nobody could give you a guarantee for that. Furthermore, giving money to these criminals will likely motivate them to create more ransomware or do other criminal acts.

For the time being there is no list available with file extensions that the CryptoJacky ransomware seeks to encrypt, but files with the following extensions are the most logical to be encrypted:

→.bmp, .doc, .docm, .docx, .jpeg, .jpg, .mp3, .pdf, .ppt, .pptx, .rtf, .sql, .tiff, .txt, .xls, .xlsx

All files that will get encrypted by the CryptoJacky virus are likely to get a unified extension appended to every one of them, but for the moment that is unknown.

The CryptoJacky cryptovirus is very likely to erase the Shadow Copies from the Windows operating system by utilizing the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and check out what kinds of ways you can try to potentially restore some of your files.

Remove CryptoJacky Ransomware and Restore Your Data

If your computer got infected with the CryptoJacky ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided down below.

Manually delete CryptoJacky from your computer

Note! Substantial notification about the CryptoJacky threat: Manual removal of CryptoJacky requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptoJacky files and objects
2. Find malicious files created by CryptoJacky on your PC

Automatically remove CryptoJacky by downloading an advanced anti-malware program

1. Remove CryptoJacky with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by CryptoJacky
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.