A new ransomware has been detected to infect user PCs, encrypting sensitive files, called CryptoJoker. However, contradictory to its name the cyber-threat is not funny business at all. The ransomware variant has been outlined to infect files with multiple file extensions massively and encrypt them via a AES-256 bits encryption algorithm and the decryption may be possible only if there are holes in the decrypted file since it is very strong in bits. All users who have been infected should immediately disconnect from the internet and check whether or not they have backup. All users who have not been infected should back up their data to both an external drive and shadow volumes.
|Short Description||Encrypts user files, corrupting them hence making them impossible to be opened.|
|Symptoms||Users may witness a ransom note with instructions on how to pay and their files encrypted with the .crjoker extension. (ex. /filename/.jpg.crjoker)|
|Distribution Method||Malicious URLs, malicious email attachments|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by CryptoJoker Ransomware|
|User Experience||Join our forum to follow the discussion about CryptoJoker Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CryptoJoker – How Does It Spread
There are several ways by which this vile threat may be through malicious attachments in Spam e-mail messages. The Ransomware is distributed in near identical way most Trojan Horses are spread. CryptoJoker is reported to spread via several different documents and files, one of which was reported to be a .pdf document that may have been infected via a compilator. Users are advised also to keep their eyes peeled for any suspicious sites that they visit.
CryptoJoker Ransomware – How Does It Work?
Once activated on the user PC, the ransomware Trojan begins to deploy its payload files in the following locations:
The payload modules may be of the following file formats:
→.dll; .exe; .tmp; .dat; .bat; .vbs;
After they have been activated, the Trojan may perform different activities such as delete the Shadow Volume Copies of Windows, delete backups and modify the Windows Registry Editor. After this has been performed, the Trojan may begin to scan for the following file extensions:
→.txt, .docx, .doc, .xls, .pdf, .java, .jpeg, .sql, .db, .docm, .odt, .csv, .xlsb, .xlsm, .aspx, .html, .psd, .pptx, .mdb, .sln, .xlsx
After this process is complete the rasomware may encrypt either portion of the designated file or the whole file with a strong AES-256 bit encryption algorithm changing their extension to “.crjoker”.
The Ransomware leaves the following ransom note afterwards:
We strongly advise affected users by the CryptoJoker Ransomware NOT to pay the ransom money and to look for other ways to decrypt their data. This Is because paying the ransom may not be a guarantee that you will get your files restored and also it funds the cyber-criminal organization to further sophisticate their operation.
Removing CryptoJoker Ransomware Fully
In order to wipe this threat clean off, you need to isolate it first. This may happen in several different ways, the most accessible and fastest of which is if you boot your computer in Safe Mode. This will stop any third-party apps and processes from running and may allow you to scan your computer and eradicate all associated objects with CryptoJoker. For the removal itself it is recommended to use and advanced anti-malware program that will make sure there is not Trace of CryptoJoker and protect you from future intrusions.