Jokeroo Ransomware
Ransomware | 05/30/2019

How To Remove Jokeroo Ransomware – Virus Removal Guide

About: Jokeroo Ransomware is a RaaS that first appeared as a variant of GandCrab Ransomware. Its developers changed its name to Jokeroo & began promoting it as RaaS. Other cyber-criminals are purchasing this Ransomware, creating customized versions...  Read More  

| Ransomware | How To Remove Jokeroo Ransomware – Virus Removal Guide

Guide to Remove Jokeroo Ransomware

Jokeroo is the name of a Ransomware-as-a-service that appeared on the underground hacking sites in March 2019. It is a recent menacing member in the family of Ransomware that is using Twitter & other social networks for its propagation.

The Jokeroo crypto virus initially, posed as a variant of the notorious GandCrab Ransomware & appeared on a malicious website,

Jokeroo promoted its services on Twitter


Surprisingly, the developers changed its name to Jokeroo Ransomware as a service& began to advertise it on Twitter social network.

Threat Summary

Name: Jokeroo
Type: Ransomware
Category: Malware
Targeted Operating System: Windows
Targeted Browsers: Google Chrome, Internet Explorer, Mozilla Firefox


Understanding what is RaaS (Ransomware-As-A-Service)

A RaaS or Ransomware-As-A-Service appears when a developer invents a Ransomware & its payment site with the sole motive of allowing affiliates to buy membership package, sign up to distribute their own versions of this ransomware.

According to the deal signed between the developer & the affiliates, the ransom amount received from the victims is distributed between them.

Jokeroo Ransomware, now being sold as a service to cyber criminals, facilitates the creation of the customized versions of this Ransomware virus by offering its subscribers (cyber criminals), multiple membership packages. With access to a completely well-designed Ransomware & its payment server, numerous versions of this Ransomware with different names are now being created.

Jokeroo Ransomware Faked an Exit Scam Recently

The Tor (The Onion Router) sites for the Jokeroo Ransomware began to display a note on 7th May 2019. The note stated that the Royal Thai Police together with Dutch National Police & Europol have seized Jokeroo’s server, rendering the Ransomware inoperative.

Later, it was found that Jokeroo RaaS faked the notice of being seized by cyber security &performed an exit scam.


            The Content of the Jokeroo Exit Scam read as follows-

Fake Exit Scam posed by Jokeroo on website


What Jokeroo Ransomware RaaS offers to its Affiliates?

Jokeroo Ransomware made its first appearance on a hacking forum named, where its masqueraded as a variant of GandCrab Ransomware.

Soon, its developers developed it as RaaS and renamed it as Jokeroo Ransomware as a service. They started promoting this on Twitter.

The Jokeroo offered an autonomous service to the affiliates where they could buy RaaS membership packages ranging from $90 to $600.

Below are the benefits that an affiliate paying $90 gets –

Jokeroo RaaS Membership Benefits

Depending on the membership package chosen, the affiliates could customize Ransomware by choosing the extension, creating their own ransom note & earning up to 85% – 100% of the ransom payments.

Other perks earned by affiliates that purchase $300 to $600 membership package include –

  • Salsa20 Encryption Method
  • Ransomware Variants
  • Crypto Currency Payment Methods

Once the affiliates have made the payment, they gain access to the admin dashboard – jokeroodgo3ylved.onion/dashboard.php.

The main dashboard for this RaaS displays the amount earned by Jokeroo so far. It allows the affiliates a quick access to the list of victims, time when they were infected & the payment status. Other sensitive information that the affiliates could access include IP Address, Windows Version&geographic location of the Victims.

Threat Behavior of Jokeroo RaaS

Once the Jokeroo Ransomware has infected the system, it uses AES or Salas20 Encryption Algorithm to encrypt user & system files. The files are renamed with a customized extension (given by affiliates who bought RaaS)& thus made unavailable to the victims.

The files encrypted by the Ransomware include-

  • Document files (.docx, .doc, .odt, .rtf, .text, .pdf, .htm, .ppt)
  • Audio Files (.mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4)
  • Video Files (.3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob)
  • Images (.jpg, .jpeg, .raw, .tif, .gif, .png)
  • Backup Files (.bck, .bckp, ,tmp, .gho)

The Ransomware may further make entries in the Windows Registry, to launch the crypto-virus automatically after every system reboot.

The ransom note for Jokeroo is not fixed as the affiliates who buy the RaaS customize the ransom message. The note asks users to pay the ransom amount in Currency or Bitcoin(s) via payment method chosen by the affiliates.

Victims are advised not to pay the ransom amount as there is no guarantee that the encrypted files will be restored after the payment is made.

Instead, users should be vigilant while clicking on e-mails & content found on the internet. The intrusion of Ransomware may be avoided by implementing certain security measures while surfing & downloading files from internet.

Distribution Techniques

Jokeroo may propagate its infection through various other distribution methods. These may include –

  • Exploit Kits
  • Spam E-Mail Campaigns
  • Infected Network File-Sharing Services
  • Zipped Java Script Attachments

The cyber threat actors often insert an infected executable file or a malicious hyperlink to a spam e-mail. In addition to that, they pretend to be associated with some reliable organization, thus giving a legitimate look to the spam-email.

A mere click on such e-mails could download & install menacing Jokeroo on your system.

How to Remove Jokeroo Ransomware infection from the system- 

STEP A: Remove the services installed by Jokeroo Ransomware from the System using Safe mode with Command Prompt

Windows 7/ Vista/ XP

  1. Click on Windows icon present in the lower left corner of the computer screen.
  2. Select and click Restart.
  3. When the screen goes blank, keep tapping F8 key until you see the Advanced Boot Options window.
  4. With the help of arrow keys on keyboard, Select Safe Mode with Command Prompt from the list and press the Enter Key. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password (if any).

Windows 10 / Windows 8

  1. Press and hold the Shift Key and simultaneously click on the windows icon present in the lower left corner of your computer screen.
  2. While the Shift key is still pressed click on the Power button and then click on Restart.
  3. Now select Troubleshoot → Advanced options → Startup Settings.
  4. When the Startup Settings screen appears which is the first screen to appear after restart, select and click on Enable Safe Mode with Command Prompt. The system will then restart to Safe Mode with Command Prompt.
  5. Click on the username and enter the password.

STEP B: Restore your system files and settings

Method 1 using Control Panel

  1. Click on the ‘Start’ button on the taskbar. This will open the Start menu.
  2. Click on the ‘Control Panel’ button in the Start menu. This will open the control panel window.
  3. In the Control Panel window, click on the ‘View by:’ button on the top right. Select the Large Icon option
  4. In the control Panel window click on the ‘Recovery Icon’. This will open a window that will ask ‘Restore the computer to an earlier point in time’.
  5. Click on the ‘Open system restore’ button. This will open the ‘system restore ’window where you need to click on the Next Button.
  6.  Select the restore point that is prior the infiltration of Jokeroo Ransomware. After doing that, click Next.
  7. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Jokeroo Ransomware


Method 2 using Command Prompt

  1. Type cmd in the search box and click on the command prompt to open the Command Prompt window. box and clicking on it.
  2. Once the Command Prompt window shows up, enter cd restore and click Enter.(Ensure that you in the system32 directory of Windows folder in C Drive)
  3. Now type rstrui and press Enter again.
  4. When a new window shows up, click Next and select your restore point that is prior the infiltration of Jokeroo Ransomware. After doing that, click Next.
  5. This will open the ‘Confirm your restore point’ dialog box. Click on Finish button. This will restore your system to a previous restore point before your system was infected by Jokeroo Ransomware.



Method 3 : Directly type 'rstrui' in the search box

  1. Type ‘Rstrui’ in the search box present on the task bar. This will open the System restore dialog box.

Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.

How to prevent Jokeroo RaaS from infecting your system- 

  1. Keeping the Operating System Updated- In order to remain protected and avoid such infections, it is recommended to keep your Operating System updated by enabling the automatic update on your system. The systems with outdated or older versions of Operating System become an easy target for the attackers.
  2. Resist clicking on spam emails – One of the major techniques used for malware distribution is forwarding spam emails to the user. The system gets infected as soon as the user clicks on the attachment. These mails appear to be genuine, so be aware and resist falling for these tricks.
  3. Keep an eye on third party installations- It is quite important that you take due care while installing any third party applications for they are major source of such infections. Such malware programs come bundled with the free applications thereby requiring the user to remain cautious.
  4. Regular periodical backup- In order to keep your data and files safe, it is recommended to take regular back up of all your data and files either on an external drive or cloud.
  5. Use Anti-Virus Protection- We strongly recommend the use of antivirus protection/internet security in your PC like Kaspersky, Avast, Hitman Pro and Sophos so that it remains safe.
  6. Enable the Ad Blocker/Popup Blocker in your browser- Enabling the popup blocker/ ad blocker in your chosen browser will help you to stay protected from annoying adware.

Hits: 657

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866