One example of the CryptoJoker variant.

Image Source: Bleeping Computer

CryptoJoker targets Windows OS and spreads via spam and phishing campaigns. It infects systems by disguising the installation file as a PDF. Once the executable is launched, it maintains persistence, contacts its C2 server, terminates various processes, deletes Shadow Volume Copies, disables Windows startup repair, scans all mapped drives, and encrypts files using AES-256 encryption. Once encrypted, affected files will display the .crjoker extension.

UPDATE 8/31/2018: A new version of CryptoJoker, dubbed CryptoNar, creates a ransom note named CRYPTONAR RECOVERY INFORMATION.txt and changes the encryption method depending on the file type targeted. 

  • Bleeping Computer provides more information about CryptoJoker, found here.
  • Michael Gillespie released a free decryption tool for the CryptoNar variant, available here