New Ransomware Demands Ransom in Bitcoins to Get Your Files Back
With a new year comes new challenges, new hopes, new resolutions, and of course, new ransomware. The newest discovered ransomware called Cryptojoker proves to be anything but amusing to its victims, and although it doesn’t appear to have been widely distributed as of yet, it is an entirely functional ransomware that could see increased distribution in the future.
Beware of unknown emails
IT security experts cannot stress enough how important it is NOT to open emails from unknown sources, but sometimes, the curiosity of these mystery emails is just too much for us to resist. That being said, it is thought that because this ransomware is being disguised as a PDF file, it is more than likely that CryptoJoker is being distributed via email phishing campaign, and you can bet that the subject is not “the PDF file attached to this email is just ransomware in disguise”. Unfortunately, these cybercriminals are a lot smarter than that.
How it works
CryptoJoker uses AES-256 encryption that demands a ransom in bitcoins to get your files back, and once the installer is executed, it will download or generate several executables in the%APPData% folder and %TEMP% folder. Each of these files will perform several tasks that include:
- Sending your information to the Command and Control server
- Polling for active Regedit or Taskmgr processes and terminating them
- Ensuring that the lock screen remains visibly located on the top of other active Windows
As soon as CryptoJoker encrypts your data, it will scan all of your drives. This includes mapped network drives on your computer for files with certain extensions. When it finds targeted extensions, it will encrypt the file and change the filename so it has a ‘.crjoker’ extension appended to it. For example, Vacatio.jpg would become Vacation.jpg.crjoker.
While CryptoJoker is encrypting your data, it will also send your information to the Command & Control server located at server6.thcservers.com. This information includes the date, your hostname, username, and machine name.
Currently, there is not a known free method to decrypt files that have been encrypted by CryptoJoker. You must simply keep all of your files backed up and ready to recover, in order to avoid losing access and having to pay the ransom fee.
Contact Integris at (888) 330-8808 or send us an email at [email protected] to find out about our managed IT services. We’ll keep all of your files safe against any type of malware.