CryptoJoker Ransomware Removal Guide

Do you know what CryptoJoker Ransomware is?

CryptoJoker Ransomware is one of those infections that you want to keep as far away from your files as possible. If this infection manages to find its way in, it will encrypt your personal files using the AES-256 encryption, and you will be asked to make a payment (a ransom) in return of their decryption. Needless to say, just like CryptoLocker, Tox Ransomware, and other infamous ransomware threats that we recommend removing, this infection targets personal files. According to our research, this threat can encrypt various types of files, including .txt, .pdf, .doc, .docx, .jpg, .png, .jpeg, and .pptx. Unless you have your photos, documents, text files, and other personal files backed up, it is likely that you will feel backed into a corner. Unfortunately, many users feel that paying the ransom is the only way out. Continue reading this report, and, hopefully, you will know what to do and how to delete CryptoJoker Ransomware.

The installer of the malicious ransomware has a .pdf file icon, which is meant to fool a user into executing this installer. It is likely that this fake PDF file will be attached to spam emails seemingly sent by familiar parties (e.g., airlines, online vendors, post, etc.). Schemers have all the tools to create email addresses that look similar to the addresses associated with authentic parties, which is what allows to trick many users not only to install malware but share personal information as well. Once executed, CryptoJoker Ransomware uses the AES-256 encryption – a system that adds a password to every file encrypted – to lock your files. In order to “unlock” them, you are required to purchase a decryption key. Unfortunately, this ransomware deletes the shadow copies of files encrypted, which makes them impossible to restore them. You can easily identify these files by the “.crjoker” extension attached to the file (e.g., text.txt.crjoker, photo.jpg.crjoker). We have found that this threat is capable of encrypting files found on the Desktop, within Program files, Windows, Temp, and other directories.CryptoJoker Ransomware Removal GuideCryptoJoker Ransomware screenshot
Scroll down for full removal instructions

CryptoJoker Ransomware also disables access to the Task Manager and Registry Editor to stop you from removing malicious files. Overall, it is unlikely that you could decrypt files even if these utilities were accessible. Once the encryption is performed, this malicious ransomware shows a message with instructions on how to decrypt files. These instructions are presented both in English and Russian. Just in case you chose to ignore this message, the devious ransomware creates a ton of TXT files, including GET MY FILES.txt, READ NOW.txt, README!!!.txt, ПРОЧТИ.txt, and РАСШИФРОВАТЬ ФАЙЛЫ.txt just to make sure that you get the message. In short, this message orders you to contact one of the provided emails to receive a private key that supposedly can help you decrypt files. You are also warned that you have only 72 hours to make the payment, and, if you do not, your files will remain locked forever. If you remove CryptoJoker Ransomware, your files will remain locked. Of course, you can delete them right away if you have back-up copies, or you do not care about losing them.

Once installed, the malicious ransomware creates files in the %Temp% directory, as well as creates a file under %AppData%. Some of the files in the %Temp% directory are added to the Registry so that they would start as soon as Windows starts. These are the files that are responsible for disabling Task Manager and Registry Editor. If you remove these files and registries, your should regain access to these tools. Follow the instructions below to learn how to delete these files and registries. According to our research, these removal steps should be enough to delete CryptoJoker Ransomware completely. Nonetheless, we recommend using an automated malware removal tool to eliminate the remaining threats, as well as to keep malware away in the future.

Reboot your PC in Safe Mode

N.B. To delete malicious files and registry entries, first reboot your operating system in Safe Mode.

Windows 8/Windows 8.1

  1. Click the Power Options button in Metro UI.
  2. Simultaneously press the Shift key on your keyboard and click Restart.
  3. Select Troubleshoot, move to Advanced options, and click Startup Settings.
  4. Click Restart and tap F4 (Safe Mode).

Windows 10

  1. Click the Windows logo on the Taskbar and click Power.
  2. Simultaneously press the Shift key on your keyboard and click Restart.
  3. In the Troubleshooting menu move to Advanced options and click Startup Settings.
  4. Click Restart and tap F4 (Safe Mode).

Remove files and registry entries

  1. Launch RUN (simultaneously tap Win+R).
  2. Enter %Temp% into the dialog box and click OK.
  3. Right-click and Delete malicious files (drvpci.exe, windefrag.exe, windrv.exe, winpnp.exe, crjoker.html, GetYouFiles.txt, imgdesktop.exe, README!!!.txt, new.bat, sdajfhdfkj (might have a random name)).
  4. Launch RUN again and this time move to %Appdata%.
  5. Delete malicious files, README!!!.txt22 and baefefbed.exe (might have a random name).
  6. Launch RUN again and enter regedit to launch Registry Editor.
  7. Move to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  8. Right-click and Delete drvpci (REG_SZ C:\Users\user\AppData\Local\Temp\drvpci.exe).
  9. Right-click and Delete windefrag (REG_SZ C:\Users\user\AppData\Local\Temp\windefrag.exe).
  10. Right-click and Delete winpnp (REG_SZ C:\Users\user\AppData\Local\Temp\winpnp.exe).
  11. Move to HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run.
  12. Right-click and Delete baefefbed REG_SZ C:\Users\user\AppData\Roaming\baefefbed.exe). Note that baefefbed might be replaced with a random name.

In non-techie terms:

CryptoJoker Ransomware is an infection that requires immediate removal. Unfortunately, this infection will leave your files paralyzed even if you delete it successfully. According to our research, this infection is capable of encrypting files, which is used to demand a ransom from you. Whether or not your files will be released after the payment is not something we can guarantee. Hopefully, you have your personal files backed up, and you can delete the ransomware and the infected files without any hesitation. If you have questions for us, you can start a discussion below.