FANDOM


CryptoJacky is a ransomware that does not belong to a family of threats; instead, it was created as an independent threat. According to VirusTotal, CryptoJacky was made back in June 19th, 1992. CryptoJacky when wild in March 22nd, 2017.

Payloads

Transmission

CryptoJacky is distributed through corrupted email attachments using text files that try to execute corrupted code on the infected computer through the use of macros. 

Infection

CryptoJacky attack uses a customized, open source encryption engine that uses the AES encryption to encrypt the victims' files. The reason why CryptoJacky does this is to take the victims' files hostage, and then demand the payment of a ransom to decipher the affected content. CryptoJacky will encrypt numerous file types, including media files, images, documents of various types, databases, and similar types of content. Once CryptoJacky infects a computer, it scans all drives connected to the infected computer and begins encrypting the victims' files. Once a file has been encrypted by CryptoJacky, it becomes unreadable. CryptoJacky will avoid encrypting the files contained in the following folders:

AppData
Program Files
ProgramData
System Volume
Windows

CryptoJacky delivers its ransom note in the form of a pop-up message containing the message 'Ransom_ph! has detected immoral activity online and has retained your files.' Victims are asked to open a file named 'ransom instructions' that is dropped on the infected computer's Desktop. This file contains the following text:

To purchase the password, click on the "ransom-payment" icon. Once open the link select above the box 
"list" and then in the column on the left the option with which you will pay, on the right, select bitcoins. Click 
"Find the best rate". Go to one of the sites that will appear on the right and buy EUR 250 bitcoins then send 
to the following address (right click and paste where you want): [RANDOM CHARACTERS]
Once the payment has been made let me know by sending me an email to the following address: ransom_ph@mail2noble.com
If so, the password will be sent to you.
Click on "ransom of files" and enter it.
Community content is available under CC-BY-SA unless otherwise noted.