CryptoJoker targets Windows OS and spreads via spam and phishing campaigns. It infects systems by disguising the installation file as a PDF. Once the executable is launched, it maintains persistence, contacts its C2 server, terminates various processes, deletes Shadow Volume Copies, disables Windows startup repair, scans all mapped drives, and encrypts files using AES-256 encryption. Once encrypted, affected files will display the .crjoker extension.
- Bleeping Computer provides more information about CryptoJoker, found here.
- The NJCCIC is not aware of any decryption tools available for CryptoJoker.