CMI Blog

New Ransomware - CryptoJoker - is Not a Joke

London_IT_Provider_Randsomware_Protect_Wandsworth.jpgBeware of a new ransomware called CryptoJoker that encrypts your data using AES-256 encryption and then demands a ransom in bitcoins to get your files back. CryptoJoker has not been widely distributed yet, but it is a fully functional ransomware that could see greater distribution in the months to come.

The CryptoJoker installer is disguised as a PDF file, which means it will likely be sent to victims via email phishing campaigns. Once the installer is executed it will download or generate numerous executables in the %Temp% folder and one in the %AppData% folder.  Each of these files will perform different tasks, such as sending information to the Command & Control server, polling for active Regedit or Taskmgr processes and terminating them, and making sure the lock screen is visible and located on top of other active Windows.

When CryptoJoker encrypts your data, it will scan all drives, including your mapped network drives, looking for files with certain extensions. When it discovers a targeted extension it will encrypt the file and change the filename it so it has a .crjoker extension appended to it. For example, Dog.jpg would become Dog.jpg.crjoker. The list of extensions that CryptoJoker targets are all the ones most of us use every day, including: .txt, , .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .java, .jpeg, .pptm, .pptx, .xlsb, .xlsm, .db, .docm, .sql, .pdf

While encrypting your data, CryptoJoker will also send information to the Command & Control server located at server6.thcservers.com. The information that is sent by CryptoJoker includes the date, your hostname, username, and machine name.

The worst part is CryptoJoker makes it impossible to use the shadow volumes to recover your files because as part of the installation process, CryptoJoker will also create a batch file in the %Temp% folder called new.bat that executes various commands that remove Shadow Volume Copies and disable Windows automatic startup repair. Grrrrrrr.  

Once CryptoJoker has done all of this, it will then display a small window that displays instructions in both English and Russian. These instructions state that the victim must email file987@sigaint.orgfile9876@openmail.cc, or file987@tutanota.com for payment instructions. When sending the email you must also include an RSA encrypted string of text that is displayed in this window as well, which is read from %Temp%\README!!!.txt. The malware developer will then respond with the ransom amount and other instructions.

This ransom note will stay on top of your open applications unless you terminate the %Temp%\WinDefrag.exe process.

Currently, there is no known method to decrypt files encrypted by CryptoJoker for free.

To stay abreast of the latest malware, cyber security threats and viruses, get in touch with a trusted IT company, and ensure that your corporate data and business devices are as safe as they possibly can be.

Call BTA today – the business IT experts, a leading London IT provider you can trust.

0208 875 7676

Related posts

Protect Against 80% of Threats With Cyber Essentials Certification
5 Must-Watch Ted Talks on Cyber Security
Why You Don't Need 27 Passwords
The Best Tech for Travel in 2017
New Gadgets are Here! What to Expect This Year