Josephnull Ransomware

What is Josephnull Ransomware?

Josephnull Ransomware is an infection that you are unlikely to notice upon entrance but are bound to face once the attackers want that. The infection works in several stages. First, it has to invade your operating system, and it might exploit existing RDP vulnerabilities, spam emails, or unreliable downloaders for that. If the system is not protected appropriately, the infection might be able to slither in without anyone’s notice. After that, it moves on to the second stage of the attack, during which it drops files, encrypts your personal files, and also deletes shadow volume copies. Finally, it reveals itself with the help of ransom note files, at which point it blatantly demands money. Hopefully, you have not been victimized by this malware yet, but if you have, you want to remove Josephnull Ransomware as soon as possible. That might not save your files, but your system will automatically become safer. We also share important tips that, hopefully, will help you keep your files and your operating system safe against ransomware in the future.testtesttest

How does Josephnull Ransomware work?

According to our researchers, Josephnull Ransomware comes from the Hakbit Ransomware family. Once it encrypts files, it attaches the “.crypted” extension to their names, and this particular extension has been used by other threats before. Nonetheless, there are other identifiers of the threat that we discuss further on. To encrypt files, Josephnull Ransomware employs a unique encryptor that specifically corrupts files with these extensions: ".eml", ".host", ".fzip", ".tiff", ".tar", ".rdl", ".zip", ".odb", ".raw", ".png", ".ldf", ".dat", ".csv", ".vdi", ".txt", ".mp4", ".pfx", ".cs", ".docx", ".aiff", ".cpp", ".xls", ".doc", ".avi", ".asm", ".sql", ".mdf", ".gif", ".7z", ".dbf", ".mp3", ".svg", ".m4a", ".rnd", ".vmx", ".odt", ".xlsx", ".ndf", ".java", ".ppt", ".bak", ".ods", ".edb", ".tdat", ".mdb", ".rar", ".msg", ".mkv", ".wav", ".jpg", ".jpeg", ".mpeg", ".key", ".html", ".pdf", ".wmdb", ".psd", ".vmsg", ".odg", ".rtf", ".pem", ".htm", ".vmdk", ".php". It also deletes shadow volume copies, which should make it impossible to recover files using a system restore point. This is why we do not recommend relying on this for file protection. It is much better to store copies of important files online or on external drives that are not connected to the infected system.

After files are encrypted, Josephnull Ransomware deletes itself. Before that, however, it modifies a few registries in the Windows registry, and it also drops a file named “HOW_TO_DECYPHER_FILES.hta.” The registries are modified so that a ransom message would show up after the system is restarted. If you get past this startup screen, you can find the HTA file on the Desktop. Both messages inform that all encrypted files can be restored if the victim pays a ransom of $20,000. The currency of the payment is Bitcoin, and, at the time of research, 20,000 US dollars (if that is the currency) converted to 1.69 Bitcoin (BTC). When we checked the wallet to which the payment was to be transferred (1F6sq8YvftTfuE4QcYxfK8s5XFUUHC7sD9), it was empty. This is good news. Nonetheless, the attackers behind Josephnull Ransomware could still trick people into contacting them (at or and then paying the ransom. Even if you have enough money, paying the ransom is too risky. You are unlikely to be given anything in return. It appears that the situation is not hopeless only if you have backup copies of personal files stored online or on external drives. If that is the case, you can replace the corrupted files.

How to remove Josephnull Ransomware

The executable file of Josephnull Ransomware should remove itself automatically, but some components of the threat should remain active. We have prepared a manual removal guide below to help you get rid of these components manually, but you should take on this task only after considering the implementation of anti-malware software. It can delete Josephnull Ransomware components automatically, which, of course, makes the process much easier. Furthermore, it can take the responsibility of securing your operating system against malware in the future. If you have the luxury of replacing your files with backups copies, we suggest that you do that only after your system is cleaned and protected completely. If there is anything else that we can help you with, do not hesitate to contact us, which you can do using the comments section.

Removal Instructions

  1. Simultaneously tap Windows+E keys to access File Explorer.
  2. Enter %TEMP% into the field at the top to open the directory.
  3. If you can identify a malicious {random letters}.exe file, right-click and Delete it.
  4. Simultaneously tap Windows+R keys to access Run.
  5. Type regedit into the dialog box and click OK to access Registry Editor.
  6. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
  7. Right-click and Delete values named LegalNoticeCaption and LegalNoticeText.
  8. Exit Registry Editor and File Explorer and then move to the Desktop.
  9. Right-click and Delete the file named HOW_TO_DECYPHER_FILES.hta.
  10. Empty Recycle Bin and then employ a trusted malware scanner for a full system scan. 100% FREE spyware scan and
    tested removal of Josephnull Ransomware*


Leave a Comment

Enter the numbers in the box to the right *