Cyber Security Center

Remove Jdokao ransomware


Jdokao ransomware, part of the Snatch malware family, is a file-encrypting infection that could lead to permanent file loss. It adds the .jdokao extension to encrypted files (e.g. image.jpg -> image.jpg.jdokao) and drops the HOW TO RESTORE YOUR FILES.TXT ransom note.

 

Jdokao ransom note

Jdokao ransomware is malware that encrypts files, which is why it’s considered to be one of the more dangerous malware infections. In some cases, files may be permanently encrypted. It infects a computer using the usual infiltration methods, and immediately starts the encryption process. Once files are encrypted, the malware adds .jdokao to them, and drops a ransom note that asks victims to contact the operators of this ransomware to get a decryptor. Victims are asked to email un10ckme@cokc.li or un10ckeme@protonmail.com to get the decryptor. The ransom sum is not mentioned in the note, though it will likely range from $100 to at least $500.

While some sites may claim otherwise, Jdokao ransomware is currently undecryptable for free. The only way to restore files without paying the ransom is backup. If victims of this ransomware backed up files prior to their computers becoming infected, they can access the backup as soon as they remove Jdokao ransomware. For users who do not have backup, paying the ransom is not recommended. Users should keep in mind that paying does not necessarily bring the desired outcome. On the contrary, it could do even more damage as users would not only lose their files but their money as well. There have been many instances in the past when the cyber criminals behind ransomware simply did not send a decryptor after receiving the ransom.

Malware researchers do release free decryptors occasionally, but one for Jdokao ransomware is not yet available. This may change in the future, so it’s a good idea to back up encrypted files and wait for a decryptor.

Bad habits often lead to a ransomware infection

In many cases, users infect their computers with ransomware because they have not developed good browsing habits. If users open email attachments without double checking, pirate via torrents and download software cracks, click on ads when on high-risk websites, as well as not install updates, it’s no wonder that they picked up some kind of malware.

Opening spam email attachments is one of the most common ways users can pick up a ransomware infection. Users’ email addresses for these spam email campaigns are usually purchased from hacker forums, which post data hacked/leaked from various services. If users pay attention and double check before opening unknown email attachments, they should be able to notice the signs of a spam email. The emails often contain loads of grammar and spelling mistakes, are sent from nonsense email addresses, and put pressure on users to open the attachment. We should also mention that senders of these emails often claim to be from known companies or organizations. Some spam emails are more sophisticated than others, which is why it’s a good idea to scan all unsolicited email attachments with anti-malware software or VirusTotal.

Downloading torrents and software cracks can also lead to a serious infection. Torrent sites in particular are often unregulated, which allows cyber crooks to upload disguised malware. It’s usually torrents for content that is popular at that time, such as movies, games, TV series, etc. By pirating, users are not only stealing content but are also putting their computer in danger of getting infected.

Clicking on advertisements when browsing high-risk websites may also lead to malware. Certain sites, usually pornography or streaming, have unsafe ads on them, and interacting with them could be troublesome. It’s not recommended to browse high-risk websites without having adblocker and anti-virus software.

Is it possible to decrypt Jdokao ransomware files?

As soon as the malware is initiated, it will start file encryption. It will mainly target files like photos, videos, documents, etc. All encrypted files will have the .jdokao file extension, hence why this ransomware is called Jdokao ransomware. Files with that extension will not be openable, unless they are decrypted with a special decryption tool. Once the encryption is complete, the ransomware will drop HOW TO RESTORE YOUR FILES.TXT note, which is identical to the ones dropped by other ransomware from the Snatch ransomware family.

Here is the ransom note dropped by Jdokao ransomware (HOW TO RESTORE YOUR FILES.TXT):

Hello! All your files are encrypted and only I can decrypt them.
Contact me:

unl0ckme@cock.li or protonmail.com

Write me if you want to return your files – I can do it very quickly!
The header of letter must contain extension of encrypted files.
I’m always reply within 24 hours. If not – check spam folder, resend your letter or try send letter from another email service (like protonmail.com).

Attention!

Do not rename or edit encrypted files: you may have permanent data loss.

To prove that I can recover your files, I am ready to decrypt any three files (less than 1Mb) for free (except databases, Excel and backups)

HURRY UP!

The price for the decryptor is not mentioned in the ransom note, but it would be specified if users sent an email to un10ckme@cock.li or un10ckme@protonmail.com. We don’t recommended contacting these cyber crooks, or paying the ransom. There really are no guarantees that files would be decrypted, as cyber criminals can simply take the money and not send the decryptor.

Unfortunately, backup is currently the only way to recover files for free. A free decryptor may be released by malware researchers in the future, but one is currently not available. Users should be very careful about where they download decryptors from because there are many fakes ones. NoMoreRansom and Emsisoft are safe sources for decryptors, as are malware researchers like Michael Gillespie.

Jdokao ransomware removal

Users should not try to delete Jdokao ransomware manually unless they know exactly what they’re doing because that would also result in more trouble. Jdokao ransomware removal should be done using anti-malware software.

Once the ransomware is no longer present, users can access their backup.

Jdokao ransomware is detected as:

  • A Variant Of Win64/Filecoder.BL by ESET
  • HEUR:Trojan-Ransom.Win32.Gen.vho by Kaspersky
  • Ransom.Snatch by Malwarebytes
  • Ransom:Win64/Snatch.A!MTB by Microsoft
  • Ransom.Win64.KRYGO.SMTH by TrendMicro
  • Win64:Trojan-gen by Avast/AVG
  • Gen:Variant.Ransom.GoRansom.2 by BitDefender