CryptoJoker Ransomware

Posted by Max Lehmann on January 5, 2016

What is CryptoJoker Ransomware?

Not only is CryptoJoker Ransomware a dangerous malware infection, but it may also be your biggest nightmare. This Trojan infection poses as a PDF file and that is how it infiltrates your computer. If it enters your operating system, you are practically doomed. You will not be able to stop this crypto “express,” and you will only notice its presence when it shocks you with its pop-up window that contains the ransom note and instructions as to how to regain your files. This malicious program can encrypt all your personal files, including images, documents, and databases as well. Once it has accomplished its destructive mission, you will have only one choice to ever see or use your files again: If you transfer the ransom fee. However, we do not advise you to do so because you cannot be sure that even if you pay the usually couple of hundreds of dollars, you will really get a decryption key and a decoder. This is really bad news for those inexperienced computer users who do not regularly save their files on an external drive. Let us tell you in more detail how you can prevent such attacks from happening and how you can remove CryptoJoker Ransomware even manually.testtesttest

Where does CryptoJoker Ransomware come from?

According to our malware researchers at Anti-Spyware-101.com, this Trojan seems to mostly come in spam e-mails as a .pdf attachment. Therefore, you can actually avoid such attacks if you understand the importance of being careful about opening your mails and clicking on links and attachments in them. Trojans can easily impersonate any entity as the sender of these spam e-mails in order to trick you into opening them. We suggest that you only open attachments that you actually expect to get and that you do not click on in-text links unless you are sure that they were meant for you and they are safe to click on. This way you can help protect your computer. However, an authentic antimalware program can easily nip these attacks in the bud if it is kept updated and active in the background.

How does CryptoJoker Ransomware work?

This Trojan uses quite a number of files to perform its malicious tasks, including deleting the shadow copies of your files so that they cannot be recovered, preventing you from running the Task Manager and the Registry Editor, making sure that the ransom note is on top and visible, and sending information to its CNC server (Command and Control). For example, it uses a batch file named new.bat to perform a few tasks. This file contains the following code:

vssadmin.exe Delete Shadows /All /Quiet
bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
vssadmin.exe delete shadows /all /quiet

Research shows that this CryptoJoker Ransomware mainly targets the following extensions: .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .db, .docm, .sql, .pdf. As you can see, these involve most of your personal files that are most probably important for you. This is how the criminals behind this Trojan try to extort money from you because they know exactly that these files you will definitely miss and be more than sad to lose.

When this infection has finished with the encryption of the target extensions, it will display a red pop-up window with instructions on top of all your windows. This ransomware uses one of the built-in encryption systems of Windows called AES-256 even though the ransom note claims otherwise as it says it has used RSA-2048 to encrypt your files, which is one of the impossible-to-break systems. It does use the latter system to encrypt a personal identifier that you are supposed to send to the given e-mail addresses that are: file987@sigaint.org, file9876@openmail.cc, or file987@tutanota.com. You are given 72 hours to make the transfer in a way you are explained in a response mail. However scared you may be losing all your files, we do not suggest that you pay any money to these criminals, but, of course, it is always your choice to make. You should still consider the possibility that you will get no decryption key even if you pay.

How can I remove CryptoJoker Ransomware?

In order to restore order on your computer and clean it of this Trojan invasion, you need to follow our guide below this article step by step very carefully. Actually, we mainly recommend manual removal for more experienced users because modifying your Windows Registry might cause irreversible damage should you remove the wrong keys. If you are looking for an automated solution, we can suggest that you download and install a decent antimalware application that will also protect your PC from similar malware threats.

Restart in Safe Mode with Networking

Windows XP/Windows Vista/Windows 7

  1. Restart your computer and keep hitting the F8 key.
  2. Choose Safe Mode with Networking from the menu and press Enter on your keyboard.

Windows 8/Windows 8.1/Windows 10

  1. Tap Win+I and press the Power icon.
  2. While pressing and holding down the Shift key, click Restart.
  3. Select Troubleshoot and then, Advanced Options.
  4. Choose Startup Settings.
  5. Click Restart.
  6. Press F5 to restart your computer in Safe Mode with Networking.

View hidden items in Windows File Explorer

Windows 8/Windows 8.1/Windows 10

  1. Tap Win+E.
  2. Choose the View menu and mark the Hidden items checkbox.

Windows Vista/Windows 7

  1. Tap Win+E.
  2. Press the Organize button and select Folder and search options from the menu.
  3. Choose the View tab.
  4. Select Show hidden files and folders.
  5. Press OK.

Windows XP

  1. Tap Win+E and pick the Tools menu.
  2. Choose Folder Options and select the View tab.
  3. Mark Show hidden files and folders and click OK.

Remove CryptoJoker Ransomware

  1. Tap Win+E and find this folder: C:\Users\user\AppData\Local\Temp.
  2. Identify and remove the following files: winpnp.exe, drvpci.exe, windefrag.exe, windrv.exe, crjoker.html, GetYouFiles.txt, imgdesktop.exe, README!!!.txt, and new.bat.
  3. Find this folder: C:\Users\user\AppData\Roaming and remove the following files: README!!!.txt22 and baefefbed.exe.
  4. Tap Win+R and enter regedit. Click OK.
  5. Delete the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run baefefbed “C:\Users\user\AppData\Roaming\baefefbed.exe.”
  6. Delete the following Registry keys: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    \winpnp “C:\Users\user\AppData\Local\Temp\winpnp.exe”
    \drvpci “C:\Users\user\AppData\Local\Temp\drvpci.exe”
    \windefrag “C:\Users\user\AppData\Local\Temp\windefrag.exe”
  7. Restart your machine.
100% FREE spyware scan and
tested removal of CryptoJoker Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *