CryptoJacky Ransomware – Remove and Restore Your Data

CryptoJacky Ransomware – Remove and Restore Your Data

This article will help you remove CryptoJacky ransomware absolutely. Follow the ransomware removal instructions at the end of the article.

CryptoJacky is a ransomware cryptovirus. After your files get encrypted, they will become inaccessible. Malware researchers have discovered that the AES encryption algorithm is being used for the locking the files. The CryptoJacky cryptovirus will leave a ransom note with demands for payment, which is written in Spanish. Keep on reading to see how you could try to potentially restore some of your data.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and display a ransom message in the Spanish language after the encryption process is complete.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by CryptoJacky


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptoJacky.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoJacky Ransomware – Spread

CryptoJacky ransomware could spread its infection via different methods. The payload file that executes the malicious script for this ransomware, which in turn infects your computer system, is seen circling the Web space since a few days ago. Here is a sample with such a file, submitted to the VirusTotal service.

CryptoJacky ransomware might also distribute its payload file on social media and file-sharing networks. Freeware found on the Web can be presented as helpful but could also hide the malicious script for this cryptovirus. Don’t open files right after you have downloaded them, especially if they come from dubious sources like links and emails. Instead, you should scan them beforehand. Run a scan with a security tool, while also checking the size and signatures of the files for anything unusual. You should read the tips for ransomware prevention thread in the forum.

CryptoJacky Ransomware – Description

CryptoJacky ransomware is also a cryptovirus. The original name for it or the one found in its code is cryptoJacky v2.0, suggesting that this isn’t the first iteration of the ransomware. After your files get encrypted, a ransom message will show up. Judging by that message, it is presumable that the ransomware is targeted at Spanish speaking users, but it is not excluded to hit other ones, as well. Malware researchers have reported that the virus uses aescrypt.exe for its encryption process, which is basically the AES encryption algorithm.

CryptoJacky ransomware could make entries in the Windows Registry to achieve persistence, and even might launch and repress processes inside the Windows Operating System. Some entries are designed in a way that will start the virus automatically with each boot of Windows.

The ransom note will appear when the encryption process finishes. As discovered by the malware researcher Jiri Kropac, the note is written in the Spanish language and provides details about what the ransom price is, along with other instructions about what the ransomware developers want from you to recover your files. The note’s text is split into two messages, displayed in an error / notification windows. You can view the initial ransom message that loads after file encryption process, right here:

That is the first part of the message and it reads:

Ransom_ph! ha detectado actividad inmoral en sus hábitos online y/o en su equi- po, siendo así me he visto en la obligación de retener sus archivos personales. Si usted desea comprar la contraseña para recuperar el control de los mismos, sirva- se seguir las intrucciones cliqueando en el archivo “ransom-instructions” que se- rá creado en el escritorio para tal fin. Nota: son tres íconos los que se crearán, si alguno no apareciera, por favor haga click con el botón derecho del mousey seguidamente en actualizar.

The message states that some kind of illegal or immoral activity is being performed and that’s why your files are encrypted. The message points to the next file with the instructions for unlocking your files, called “ransom-instructions”.

The instructions file looks like this:

The text on it reads the following:

Para comprar la contraseña haga click en el ícono “ransom-payment”. Una vez abierto el link seleccione arriba del cuadro “list” y luego en la columna de la izquierda la opción con la que va a pagar, en la derecha seleccione bitcoins. Cliquee “Find the best rate”. Vaya a alguno de los sitios que aparecerán a la derecha y compre EUR 250 de bitcoins a la siguiente dirección (con click dere- cho y luego pegar será ingresada donde quiera): lH7YGm35zVJWU4GrqZ2nq4kDvXNfkwfhxd
Una vez hecho el pago hágamelo saber enviandome un correo a la siguiente dirección:
Siendo así, le será enviada la contraseña.
Haga click en “ransom of files” e ingrésela.-

The instructions for the CryptoJacky ransomware state that your files are encrypted and that you need to pay a ransom of 250 euros to get them back. You are given an email address for contact and a Bitcoin address for where to send the payment. You should NOT in any circumstance pay the cybercriminals. Your files may not get restored, and nobody could give you a guarantee for that. Furthermore, giving money to these criminals will likely motivate them to create more ransomware or do other criminal acts.

For the time being there is no list available with file extensions that the CryptoJacky ransomware seeks to encrypt, but files with the following extensions are the most logical to be encrypted:

→.bmp, .doc, .docm, .docx, .jpeg, .jpg, .mp3, .pdf, .ppt, .pptx, .rtf, .sql, .tiff, .txt, .xls, .xlsx

All files that will get encrypted by the CryptoJacky virus are likely to get a unified extension appended to every one of them, but for the moment that is unknown.

The CryptoJacky cryptovirus is very likely to erase the Shadow Copies from the Windows operating system by utilizing the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and check out what kinds of ways you can try to potentially restore some of your files.

Remove CryptoJacky Ransomware and Restore Your Data

If your computer got infected with the CryptoJacky ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided down below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share