.Pluss.executioner and .Destroy.executioner Virus - Remove + Restore Files

.pluss.executioner and .destroy.executioner Files Virus – Remove + Restore Files

This article has been created in order to help explain what is CryptoJoker ransomware virus and how to remove it completely from your computer plus restore files that have been encrypted by this virus on your computer.

New form of ransomware virus using two different file extensions after it encrypts your files has been detected and dubbed CryptoJoker by malware analysts. The virus aims to use the AES encryption algorithm on the files of the victim computers and it’s end goal is to get victims to pay a hefty ransom fee by following the instructions in the Readme.html web-page of the virus. If you have been infected by this malware, recommendations are to focus on removing it completely and trying to restore files that have been encrypted by it, by reading the instructions below.

Threat Summary

NameCryptoJoker Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the computers that have been infected by it after which demand victims to pay hefty ransom fee in order to get their files decrypted once again.
SymptomsThe malware adds two different file extensions on the infected computer’s files – .pluss.executioner and .destroy.executioner
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by CryptoJoker Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss CryptoJoker Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoJoker Ransomware – Infection Methods

In order to infect the maximum amount of computers, the ones behind CryptoJoker ransomware may begin to perform various different activities to mask it’s infection file and then send it to you in the form of a fake legitimate document. The most often cause of infection is by opening the file via e-mail. Most malicious spam e-mails that are sent often make it seem like the attachments on those e-mails are legitimate documents, like:

  • Invoices.
  • Receipts.
  • Purchase requests.
  • Product returns.
  • Banking statement.
  • Delivery notifications.

As soon as the victim has already opened the malicious e-mails, the files may also be Microsoft Office documents which usually contain malicious macros embedded within them. In addition to this, the malware may also pretend to be other types of legitimate files that are uploaded online, such as:

  • Fake setups.
  • Fake key generators.
  • Fake program installers.
  • Fraudulent cracks, patches.

CyberJoker Ransomware – More Information

As soon as the ransomware virus has infected your computer, the malware may drop it’s payload on it. The payload files may be located onto various different types of folders, among which are:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

In addition to this, the CyberJoker malware aims to perform various other activities besides simply encrypting your files, such as touch files, modify system permissions and others. One of those activities is to focus on modifying the Windows Registry Editor of the infected machine, more specifically attack the following sub-keys responsible for the automatic execution of the file-encryption software on the victim’s computer:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

In addition to this, the CyberJoker ransomware may also perform other activities on the infected computer, such as delete it’s shadow volume copies by executing the vssadmin and bcedit commands:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

The ransomware virus also drops a Readme.html file and a wallpaper which has the following message:

Text from image:

Turkish Underground World ~
Guvenlik bir urun degil bir surectir.

CryptoJoker Ransomware – Encryption Process

To encrypt files on the infected computer, CryptoJoker uses it’s main executable CryptoJoker.exe which is configured to scan for and encrypt files with the following file extensions:


The CryptoJoker virus uses the AES encryption algorithm and it does not encrypt the whole file, but only parts of data from it so that the encryption process is a lot faster. In addition to this, the ransomware also appends the file extensions .pluss.executioner and .destroy.executioner to the encrypted files, making them start to appear like the following:

Remove CryptoJoker Ransomware and Restore .executioner Files

If you want to remove the CryptoJoker ransomware virus from your computer, it is strongly advisable to firstly isolate the threat prior to deleting it’s files. To do this, we advise you to follow the removal instructions below. They are specifically created in order to help you remove CryptoJoker either automatically or manually. If you lack the experience in malware removal, malware researchers strongly advise to remove this virus automatically, since this is the fastest and most effective method while remaining the simplest.

If you want to restore files that have been encrypted with the .executioner suffix added to them, we recommend that you try the alternative methods for file recovery below in step “2. Restore files encrypted by CryptoJoker Virus” below. They are created in order to help you restore as many files as possible without paying ransom.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share