CryptoJoker Ransomware: Not funny at all

Monday, January 18th, 2016 by Tyler Okhovatian

 

CryptoJoker is the latest variant of the destructive chain of ransomware viruses that have been used over the past couple of years to extort money from individuals and businesses around the world in exchange for the safe return of data encrypted by the virus in its various forms.

How to know if you are infected with CryptoJoker

CryptoJoker Prompt - Credits: BleepingComputers.com

The CryptoJoker virus encrypts all of the data that it finds throughout your system – this includes local data as well as data that resides on network drives connected to your computer.
The virus encrypts a wide range of file types including the most popular – Word documents, Excel documents, text files, images and database files. Each file that is encrypted will have its extension appended with the word “crjoker”.
Seeing this at the end of your filenames is a sure sign that you have the virus, in addition finding that you cannot successfully open or view any of your data is another good indicator.
In addition the above changes to the computer file system the virus will also present the user with a splash screen showing instructions for contacting the hackers in order to pay the ransom – when contact is made the user is also advised to send an encrypted RSA key that presumably allows them to send back a decryption key following successful payment – which has to be made by Bitcoin.

Beware suspicious PDF attachments

The hackers behind the CryptoJoker virus have distributed the malware via executable files that are disguised as PDF documents. The most common method of distribution for these files is via email. The PDF files will come in from various bogus companies and the emails will contain information that inspires users to open the attachment. Some of the common ruses include tricking the recipient into thinking that the PDF contains an invoice that needs to be paid.

Why CryptoJoker is different to other similar variants?

Many readers will be having Deja vu whilst reading the above description of the CryptoJoker virus – it actually sounds very similar to a previous virus called CryptoLocker. Indeed, this virus is very similar and comes from the same family of viruses, however the big difference, and what makes the CryptoJoker variant much more dangerous, is that it also has the ability to delete shadow copy data. Historically the data stored in a computer’s shadow copy, especially on business networks, provided a very easy way to restore data that had been encrypted by similar viruses. The fact that CryptoJoker deletes this information makes it much harder for an infected machine to be recovered.

How to remove the virus and recover your data?

Removing the virus itself is relatively easy – many malware programs, including Malwarebytes Chameleon, can remove the virus without a great deal of effort but recovering your data is another matter. Because the virus encrypts your data using AES-256 strength encryption it is virtually impossible to decrypt the data without the encryption key – known only by the hackers.
Because of this the choices you have for recovering your data a very limited:
1. Pay the ransomware and hope that you are sent the decryption key
2. Restore your data from an external backup (If you have one)

How to prevent the virus?

As always, prevention is the best cure and understanding how to avoid this virus in the first place is crucial for those of us that have sensitive or important data on our computer systems.
Because the virus is typically spread via email it is very important never to open email attachments unless you are certain where the attachment has come from and what the attachment contains.
For example, if you receive an “invoice” via email you should be certain that you are familiar with the company that sent it and that you are expecting that particular invoice. Even if it appears to come from a company that you have dealt with in the past, if there isn’t some sort of reference number that you can cross reference from your end then you should not open the attachment.
Backing up your data is also extremely important and provides you with a safety net even if you do get infected. When you back up your data you should always ensure that you have an offsite copy – this may be stored on an external hard drive or on a cloud based backup service.