cryptojoker

[Content by Gemini 2.5]

[Threat Profile] CryptoJoker (.cryptoJoker / .partially.cryptoJoker / .CryptoLocker) – 2020 Active Ransomware

Target Audience: SOC analysts, incident responders, IT administrators, and end-users seeking a concrete, actionable guide, not marketing copy.

Technical Breakdown

1. File Extension & Renaming Patterns

  • Primary extensions observed:
    .cryptoJoker, .partially.cryptoJoker, or the legacy older strain .CryptoLocker are used interchangeably.
  • Renaming Convention:
    Original filename [original_name].[original_ext].cryptoJoker
    Example before/after: QuarterlyReport.xlsx becomes QuarterlyReport.xlsx.cryptoJoker
    Newer versions append .partially.cryptoJoker and inject the ransom note directly into the affected folder (ReadmeDecrypt!.txt).

2. Detection & Outbreak Timeline

  • First sightings: Steamrolled into public incident logs mid-March 2020.
  • Peak wave: April–May 2020 when attackers aggressively rotated command-and-control (C2) domains (kik.hopto.org, drp[.]top, dynamic DNS under duckdns[.]org).
  • Still sporadically observed through 2024 in low-volume, targeted, post-exploitation follow-ons (not mass e-mail blasts).

3. Primary Attack Vectors

| Vector | Details & Evidence |
|—|—|
| Unpatched Windows RDP brute-force | Most common entry: attackers port-scan 3389 then spray password lists; successful logins trigger PowerShell payload delivery. |
| EternalBlue (MS17-010) | Systems running legacy SMBv1 (Windows 7/Server 2008) infected by dropping a Zeus-style worm module that also deposits CryptoJoker. |
| Phishing E-mail w/ ISO/ZIP attachments | Disguised as urgent “Contract”, “COVID-19 Safe Workplace Forms” – the archive drops felix.exe / skype.exe which side-loads CryptoJoker PE via runonce.exe. |
| Big-bang second-stage: | Infected RIG exploit-kit chains (hidden inside malicious advertisements) observed to push CryptoJoker after successful browser exploitation (CVE-2020-1380 IE 0-day variant). |

Remediation & Recovery Strategies

1. Prevention – Non-negotiable Baseline

  • Patch, Patch, Patch! Push MS17-010, CVE-2020-1472 (Zerologon), latest WinRAR RCE.
  • Block Internet-facing RDP – enforce VPN + MFA, change port 3389 internally.
  • Disable SMBv1 fleet-wide: Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol.
  • Software Restriction Policies / AppLocker – whitelist %ProgramFiles%, stop execution from temp dirs (%APPDATA%, %TEMP%).
  • E-mail Gateways – quarantine ISO/ZIP at perimeter before delivery.
  • Immutable / off-site backups with air-gapped verification and weekly restore testing (3-2-1 rule).

2. Removal – Step-by-Step Incident Response

Do NOT pay ransom – payment portal is intermittently offline and Decrypter tool is insecure.

  1. Isolate – cut infected host from LAN, monitor lateral movement via firewall subnet block, disable any pending scheduled tasks referencing ServiceProvider.exe.
  2. Disable scheduled autostart – inspect registry keys:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ and HKLM\… for service.exe, svhost64.exe, or random 8-hex GUID keys.
  3. Kill processes (if still running):
  • cryptoJoker.exe (signed with revoked cert and packed by UPX)
  • Any wscript.exe / powershell.exe child processes launching payloads from %APPDATA%\Roaming\Temp\.
  1. Full on-disk sweep with updated EDR (e.g., Malwarebytes, SentinelOne, CrowdStrike) in safe mode or offline pxe-boot; full scan again post-reboot.
  2. Nuke & pave (preferred) – wipe-disk rebuild; use gold-image restore; run group policy baseline checker before rejoining domain.

3. File Decryption & Recovery

  • Current Status: Decryption IS possible for CryptoJoker 2020 versions only.
    The threat actors reused a static, hard-coded RSA-1024 private-exponent (PEM file hardcoded into the dropper).
  • Ems CryptoJoker Decryptor – OFFICIALLY released (Emsisoft, 2020-08-17).
    ⇒ Grab: Emsisoft_Decryptor_for_cryptoJoker.exe from https://decrypt.emsisoft.com/cryptoJoker
  • Important steps when using decryptor:
  1. Only run on a cleaned / re-imaged system (otherwise decryptor output can be re-encrypted).
  2. Must retain at least one pair of original + encrypted file in the same folder for brute-forcing the symmetric keys (decryptor auto-detects).
  3. Ensure adequate free space (decryptor temporarily creates .tmp files during processing).
  • Legacy backups – If decrypted filename not perfect (e.g., Word doc recovered but header remains corrupted), fall back to VSS shadow copies (vssadmin list shadows) or offline Veeam/Druva image.

4. Additional Critical Information

Behavioral traits worth highlighting:

  • Ransom note text (ReadmeDecrypt!.txt) exfiltrates a small subset of filenames (accounting .docx .xlsx) to external C2, potentially exposing sensitive folder structure.
  • Exclusion list: CryptoJoker explicitly skips paths containing: \Windows, \Program Files, \Recycler, \tor-browser, \AppData\Local\Microsoft\Teams – useful to relocate key backup folders.
  • Ransom amount & timer: demands 0.5 BTC ≈ USD $4 500 (May 2020), doubles every 72 hrs, finally deletes keys after 168 hrs; wallet address is static (1J3YHcoF45ASpLuVPw8…) already tagged on Chainalysis & OFAC lists.

Broader Impact / Notable Case Examples

  • Local government in Tennessee (April 2020): 350 TB of county records encrypted; Ems decryptor supplied within 10 days, saved ~USD 200 000 in ransom.
  • South-Korean SME chain (May 2020): EternalBlue lateral spread knocked 120 POS terminals offline during peak hours; EDR quarantine limited blast radius to 13 % endpoints thus mitigating PCI DSS violation risk.

Bottom line: If you’ve been hit by CryptoJoker since March 2020, the saving grace is public decryption – isolate, wipe, decrypt with Ems, reboot, then delete any leftover persistence keys.