FANDOM


CryptoJoker is a ransomware-type virus that encrypts various files (for example, .txt, .doc, .docx, .ppt, etc.) stored on victims' computers. All files are encrypted using AES-256 encryption, and once successfully encrypted, victims are presented with a message stating that they are required to pay a ransom in bitcoins (otherwise the files will remain permanently decrypted).

It is similar to XRTN, Cryptowall, Chimera, and TeslaCrypt.

Payloads

Transmission

CryptoJoker is distributed as a .PDF file and, therefore, is often proliferated as an email attachment.

Infection

Once the CryptoJoker's installer (the .PDF file) is executed, a number of malicious files are downloaded/generated within the %AppData% or %Temp% folders. Be aware that CryptoJoker adds a .crjokerextension to each encrypted file. Updated variants of this ransomware use .cryptoNar and .partially.cryptolocker extensions for encrypted files. The displayed lockscreen contains all information regarding the encryption and states that users must pay a ransom within the given time frame, otherwise the private key (which is used to decrypt files) will be deleted and it will become impossible to recover the files affected by CryptoJoker. The message contains step-by-step payment instructions delivered in English and Russian. 

CryptoJoker demanding ransom payment to decrypt files:

ENGLISH:
Your personal files were encrypted using RSA key cryptographically!
It decrypts files can be knowing a unique, private RSA key length of 2048 bits, which 
is only for us.
Write to us at mail: [email protected] Spare mails: [email protected] or 
[email protected]
Instructions for payment will be sent in the opposite letter.
After payment we will send your key and decoder.
And remember, you only have 72 hours to make a payment, then the price will rise to 
decipher.
Attempts to decipher on their own will not lead to anything other than irretrievable loss 
of information.
Your unique key that is required to send to the specified email:
Good luck.
RUSSIAN:
Ваши личные файлы были зашифрованы при помощи криптостойкого RSA 
ключа!
Расшифровать файлы можно зная уникальный, закрытый RSA ключ длиной 
2048 бит, который есть только у нас.
Напишите нам на мейл: [email protected] Запасные мейлы: [email protected] или 
[email protected]
Инструкция для оплаты будут высланы в обратном письме.
После оплаты мы вышлем ваш ключ и дешифратор.
И помните, у вас есть только 72 часа, чтобы произвести оплату, потом цена 
на расшифровку поднимется.
Попытки расшифровать самостоятельно не приведут ни к чему, кроме безвозвратной потери информации.
Ваш уникальный ключ, который обязательно вышлите на указанный email:
Удачи.
========================================================================

Some file formats targeted by CryptoJoker:

.txt, , .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, 
.sln, .php, .asp, .aspx, .html, .xml, .psd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, 
.db, .docm, .sql, .pdf

CryptoJoker registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\winpnp %Temp%\winpnp.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\drvpci %Temp%\drvpci.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\windefrag %Temp%\windefrag.exe

Removal

Michael Gillespie (also known as Demonslay335) released a free decrypter for this ransomware.

Variant

CryptoJoker

This variant uses has the same name as the previous version but it uses ".partially.cryptojoker" extension for encrypted files and stores it's ransom demanding message in "CryptoJoker Recovery Information.txt" file.

Ransom demanding message presented in this file:

Hello, my name is CryptoJoker !!

My name is CryptoJoker. I have encrypted all your precious files including images,
videos, songs, text files, word files and e.t.c  So long story short, you are screwed ... 
but you are lucky 
in a way. Why is that ?? I am ransomware that leave you an unlimited amount of time 
to gather the money
to pay me. I am not gonna go somewhere, neither do your encrypted files.

FAQ:
1. Can i get my precious files back ??
Answer: Ofcourse you can. There
is just a minor detail. You have to pay to get them back.
2. Ok, how i am gonna get them back ?
Answer: You have to pay 100€
in bitcoin.
3. There isn't any other way to get back my files ?
Answer: Nahhh.
4. Ok, what i have to do then ?
Answer: Simply,
you will have to pay 100€ to this bitcoin address: 
1yh3eJjuXwqqXgpu8stnojm148b8d6NFQ . When time comes to send me the money,
make sure to include your e-mail and your personal ID(you can see it bellow) in the extra information box (it may apper also
as 'Extra Note' or 'optional message') in order to get your personal decryption key. It 
may take up to 6-8 hours to take your
personal decryption key.
5. What the heck bitcoin is ?
Answer: Bitcoin is a cryptocurrency and a digital payment system.
You can see more information here: https://en.wikipedia.org/wiki/Bitcoin . I recommend 
to use 'Coinbase' or 'Bitcoin Wallet'
as a bitcoin wallet, if you are new to the bitcoin-wallet. Ofcourse you can pay me 
from whatever bitcoin wallet you want,
it deosn't really matter.
6. Is there any chance to unclock my files for free ?
Answer: Not really. After 1-2 or max 3 years
there is propably gonna be released a free decryptor. So if you want to wait ... it's 
fine. As i said, i am not gonna go
somewhere.
7. What i have to do after getting my decryption key ?
Answer: Simple. Just press the decryption button bellow.
Enter your decryption key you received, and wait until the decryption process is done.
Your personal ID: -
Community content is available under CC-BY-SA unless otherwise noted.