CryptoJoker Ransomware

CryptoJoker Ransomware is definitely not a malware infection you can ignore or take as a joke; instead, it may well be your worst nightmare. Although it seems that this Trojan is not yet widely spread, but it will certainly gain more portions of the malware infection “cake” with time passing. No matter how “popular” it is currently, though, you need to be warned that this is a serious and dangerous threat to your operating system and your personal files. If this malware infection sneaks on board and accomplishes its mission, you will most probably have to say goodbye to all your documents, images, and databases, which will be encrypted in as fast as a minute; unless, of course, you are a security-minded computer user who keeps saving backups on an external drive. That is the only way you can actually restore your files because even paying the ransom this Trojan tries to extort from you may not help you. If you do not remove CryptoJoker Ransomware right away, you will not only lose your files, you may also not be able to use your computer again.

The installer of this Trojan is disguised as a PDF file. Thus, it is probably mainly distributed via spam e-mails. In order to avoid Trojan infections, one of the most important rules is to never open unfamiliar e-mails and never click on links and attachments even in familiar or official-looking e-mails – unless you are expecting those – because spam e-mails can pose as anyone or any institution to look authentic. It is all about deception. Going through your inbox you may not even think twice when you see an e-mail, for example, from a well-known or your own Internet provider. Obviously, cyber criminals use sophisticated tactics to make sure you click on the included link or attached files, in this case a .pdf document. But once you click, there is no way back; the Trojan gets dropped onto your computer and it starts its dirty business right away. The only way you could stop this from happening would be a trustworthy and up-to-date malware removal tool running in the background.

This Trojan infection uses several files to complete its task. First of all, it creates or downloads the following text files on your desktop: GET MY FILES.txt, READ NOW.txt, read this file.txt, READ.txt, README!!!.txt, readme.txt, DECRYPT FILES.txt, ПРОЧТИ.txt, and РАСШИФРОВАТЬ ФАЙЛЫ.txt. These mainly contain the ransom note text in English and Russian languages and the targeted extensions. It also creates the following files in the %Temp% directory: drvpci.exe, windefrag.exe, windrv.exe, winpnp.exe, crjoker.html, GetYouFiles.txt, imgdesktop.exe, README!!!.txt, and new.bat. Then this malware adds the following Registry entries so that drvpci.exe, windefrag.exe, and winpnp.exe executable files can automatically start up with Windows:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• drvpci “C:\Users\user\AppData\Local\Temp\drvpci.exe”
• windefrag “C:\Users\user\AppData\Local\Temp\windefrag.exe”
• winpnp “C:\Users\user\AppData\Local\Temp\winpnp.exe”

Apart from all these files, it also creates two files in %Appdata% directory called baefefbed.exe, which is a random name, and README!!!.txt22. This is the registry key this Trojan adds for the executable: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

baefefbed “C:\Users\user\AppData\Roaming\baefefbed.exe.” Each of these files are used to perform various tasks, including sending information to the Command and Control server, checking and terminating all active Task Manager and Registry Editor processes, and so on.

We have found that CryptoJoker Ransomware targets the following document, image, and database extensions: .txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .db, .docm, .sql, .pdf. When this ransomware starts the encryption of your files it will scan all your available drives, including mapped network drives, targeting these extensions. When the encryption of a file is done, this malware will add the .crjoker extension, for example, myphoto.jpg.crjoker. This Trojan infection uses AES-256 system to encrypt your files, which is a built-in Windows encryption; therefore, the whole process will not take more than one minute most probably. So you can see now that killing this infection before it could finish its job is practically impossible, unless, of course, you have super powers and you can react in milliseconds after realizing that you cannot access your files or that their extensions changed without your permission.

When this ransomware finishes its destructive run on your available drives, it will display a small window on your desktop, on top of all your active windows, with both English and Russian instructions. This infection also makes sure that you cannot run the Task Manager and the Registry editor in order to protect itself. It will also run a batch file (new.bat), which executes a removal of the shadow volume copies of your files so that these files cannot be repaired automatically. The instructions of the ransom note informs you that you must send an e-mail for payment instructions to one of the following addresses: file987@sigaint.org, file9876@openmail.cc, or file987@tutanota.com.

Although the ransom alert note claims that your files have been encrypted by RSA-2048 system, in fact, only your personal code gets encrypted with this method, the one you are supposed to send in the contact e-mail. You are given 72 hours to transfer the money these criminals ask for or else the fee will increase. You are also told not to temper with the infection or your files because it may result in “irretrievable loss of information.” Of course, there is no guarantee whatsoever that you will ever get the promised key and decoder; there never is. This is when backup files come in handy. If you keep your personal files saved on an external HDD or a pendrive, you can copy them back onto your machine any time. However, it is important to make sure that your system is all secure. Therefore, we advise you to delete CryptoJoker Ransomware as soon as possible and then you can start restoring your files.

If you do not have a backup copy, we are sorry but you cannot decrypt your files with any tools yet. It is possible that in the future when this ransomware hits more computers and experts figure out a way to decrypt the files, there will be free tools available on the net. But until then, there is nothing much you can do apart from cleaning your system of this dangerous invader.

The only way to eliminate CryptoJoker Ransomware is by going into Safe Mode with Networking after restarting your computer. Then, you can remove all the files and Registry entries it created. But before you do so, make sure that the hidden folders are shown in your File Explorer; otherwise, you will not find the %Appdata% directory. However, if you are considering paying the ransom, you should not delete the text files from your desktop because they contain the instructions, your unique encrypted code, and the e-mail addresses you are supposed to use. After you have finished, you need to restart your computer. Please follow our instructions below very carefully because if you happen to delete the wrong registry keys, you may cause more damage than good. Actually, we mainly recommend manual removal for more experienced users who know what may be at stake here. For safer and more efficient removal we advise you to use a professional malware removal tool.

How to restart in Safe Mode with Networking

Windows 8, Windows 8.1, and Windows 10

1. Tap Win+I and click on the Power icon.
2. While pressing and holding the Shift key, press Restart.
3. Select Troubleshoot and then, Advanced Options.
4. Choose Startup Settings.
5. Press Restart.
6. Tap F5 to reboot your PC in Safe Mode with Networking.

Windows XP, Windows Vista, and Windows 7

1. Restart your PC and tap the F8 key.
2. Select Safe Mode with Networking from the menu and hit Enter.

Display hidden items in Windows File Explorer

Windows 8, Windows 8.1, Windows 10

1. Press Win+E.
2. Select the View menu and tick the Hidden items checkbox.

Windows Vista and Windows 7

1. Press Win+E.
2. Press the Organize button and select Folder and search options from the menu.
3. Choose the View tab.
4. Select Show hidden files and folders.
5. Press OK.

Windows XP

1. Press Win+E and choose the Tools menu.
2. Select Folder Options.
3. Click on the View tab.
4. Select Show hidden files and folders.
5. Press OK.

How to remove CryptoJoker Ransomware

1. Press Win+E and locate C:\Users\user\AppData\Local\Temp folder.
2. Find and delete the following files: drvpci.exe, windefrag.exe, windrv.exe, winpnp.exe, crjoker.html, GetYouFiles.txt, imgdesktop.exe, README!!!.txt, and new.bat.
3. Locate C:\Users\user\AppData\Roaming folder.
4. Find and delete the following files: baefefbed.exe and README!!!.txt22.
5. Press Win+R and type in regedit. Press OK.
6. Locate and delete the following Registry entries:
   HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   \drvpci “C:\Users\user\AppData\Local\Temp\drvpci.exe”
   \windefrag “C:\Users\user\AppData\Local\Temp\windefrag.exe”
   \winpnp “C:\Users\user\AppData\Local\Temp\winpnp.exe”
7. Locate and remove the following Registry entry:
   HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
   \baefefbed “C:\Users\user\AppData\Roaming\baefefbed.exe.”
8. Restart your operating system.