Jokdach is a file-encrypting ransomware family that appends the .jokdach extension to user files and drops a ransom note named !!!READ_ME!!!.txt. Victims report that previously accessible documents and media become unreadable and are renamed (for example, 1.jpg → 1.jpg.jokdach).
Jokdach scans reachable drives and encrypts target files with a strong symmetric cipher, then leaves a text ransom demand. The infection both locks files and attempts to ensure recovery is difficult without the attackers’ decryption key.
Follow these containment and cleanup steps immediately — use bullets for the action list for clarity:
Isolate the affected host: from the network (physically disconnect or disable networking).
Preserve forensic evidence: do not power off the machine if live memory or volatile data is needed for investigation. Capture memory and disk images if possible.
Identify and disconnect: other machines showing the same IOCs.
Boot to clean media: and run a full AV/anti-malware scan to remove the encryptor and related components. Use reputable tools and ensure signature/engine updates.
Reset credentials: for accounts that may have been compromised and rotate secrets.
Restore files: from verified, offline backups where available.
Free recovery options
Restore from backups: The safest free method is to restore from offline or immutable backups created prior to the infection. Verify backup integrity before returning systems to service.
Volume Shadow Copies / local restore points: On older or misconfigured systems, shadow copies may allow file recovery — but modern ransomware often deletes shadow copies; run authoritative forensic checks before attempting restores.
Paid recovery and professional options
Paid options include engaging incident response (IR) firms or commercial data recovery companies. These providers can:
Conduct full forensic containment and eradication.
Attempt professional recovery of corrupted or partially encrypted storage.
Negotiate or facilitate complex recovery scenarios (but reputable firms will not advise or require payment to criminals).
Step-by-Step Jokdach Recovery Guide with Jokdach Decryptor
Assess the Infection Identify the encrypted file extension: .jokdach, and confirm the presence of the ransom note file named !!!READ_ME!!!.txt.
Secure the Environment Disconnect compromised systems immediately and verify that no active encryption processes or malicious scripts are still running.
Engage Our Recovery Team Provide us with a few encrypted files along with the ransom note so that we can confirm the Jokdach variant in use. Once validated, we will begin analysis and outline a tailored recovery timeline.
Run Our Decryptor Execute the Jokdach Decryptor tool as an administrator for best results. Ensure that the machine has an active internet connection, since the decryptor communicates securely with our recovery servers.
Enter Your Victim ID: Retrieve the unique victim ID from the ransom note and input it into the decryptor interface for accurate decryption.
Start the Decryptor: Initiate the recovery process and allow the tool to restore your encrypted files back to their functional state.
Offline Methods: Suitable for highly secure or air-gapped systems. Recovery can be performed using an drive transfer and a trusted bootable environment.
Online Methods: Designed for faster restoration and direct expert assistance. These require an encrypted network channel and secure file upload, similar to the Jokdach Decryptor’s online support process.
How encrypted files appear?
Encrypted files keep their original filename and gain the suffix .jokdach. Typical examples:
report.docx → report.docx.jokdach
photo.png → photo.png.jokdach
Ransom note — what the attackers demand
The ransom note (filename: !!!_READ_ME_!!!.txt) claims AES-256 encryption and contains a unique victim ID plus a demand to pay 0.5 BTC to the wallet bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh. It instructs victims to contact decryption@protonmail.com and threatens permanent destruction of files after 72 hours.
Excerpt from the note:
YOUR FILES HAVE BEEN ENCRYPTED WITH MILITARY-GRADE AES-256!
Your Unique ID: 7496C601295C71D381C5460EE51CB3DF Files Encrypted: 93 Time Left: 72 HOURS
Send 0.5 BTC to: bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh Contact: decryption@protonmail.com
After 72 hours, all your files will be permanently destroyed! Do not attempt to recover files yourself – this will cause permanent data loss!
Indicators of compromise (IOCs)
Below are the key IOCs you can use to detect a Jokdach incident:
Example victim ID format: 32-character hex (e.g., 7496C601295C71D381C5460EE51CB3DF)
AV detection names seen on samples: Avast — Win64:MalwareX-gen [Misc]; Combo Cleaner — Generic.Ransom.AE17FA22; ESET — Win64/Filecoder.ADG; Kaspersky — UDS:Trojan.Win64.Generic; Microsoft — Ransom:Win32/Clop.SIB!MTB.
Typical tactics, techniques and procedures (TTPs)
Jokdach incidents typically follow these broad behaviors:
Initial access & delivery — Phishing emails with malicious attachments, compromised download sites, pirated software installers, or exploit of unpatched apps.
Execution — The payload executes (often from a dropped EXE or script), runs with user privileges and begins file enumeration.
Discovery & credential access — The malware may attempt to discover mapped drives, network shares and reachable backup locations; opportunistic credential theft may be present if additional loaders are bundled.
Encryption — Files are encrypted using a symmetric cipher; metadata and filenames are preserved with the .jokdach suffix.
Extortion — The ransom note is written to disk and (sometimes) shown on the desktop to force victim contact. Attackers demand cryptocurrency (Bitcoin) and threaten file destruction after a deadline.
Persistence & lateral movement — Some samples will try to persist or spread to other hosts on the same network; additional trojans that steal credentials or exfiltrate data may be installed alongside the encryptor.
Tools and components observed
While full forensic unpacking is needed per sample, typical components observed with Jokdach-style infections include:
A main encryptor binary (PE/EXE) that performs file discovery and symmetric encryption.
Dropper/loader scripts that extract and run the encryptor.
Ransom note writer that creates !!!_READ_ME_!!!.txt.
Optional secondary payloads: credential stealers, RATs (remote access trojans) or SMB-scanners used for lateral spread.
Obfuscation layers in the executable (packing/obfuscation) to hinder static analysis.
Signs and symptoms on an infected system
Victims will notice they cannot open many files; file extensions change to .jokdach. A visible ransom note will be present and, in some cases, desktop wallpaper or persistent windows display the extortion demand. System performance may be affected during large scale encryption.
Data And Stats
Victims by country
Victims by organization type
Timeline
Detection and scanning recommendations
Scan infected and suspected hosts with updated endpoint detection tools. The following detection names have been observed on analyzed samples: Avast Win64:MalwareX-gen, Combo Cleaner Generic.Ransom.AE17FA22, ESET Win64/Filecoder.ADG, Kaspersky UDS:Trojan.Win64.Generic, Microsoft Ransom:Win32/Clop.SIB!MTB. Combine signature scans with behavior monitoring (file modifications, mass renaming) and network monitoring for unusual outbound connections.
When facing a Jokdach ransomware incident, the first step is to isolate the infected system and preserve forensic evidence through imaging. If backups are available, they should be restored from verified, offline sources to minimize further damage. In environments where business continuity is critical, organizations are strongly encouraged to engage experienced incident response professionals for guidance. At the same time, systems must be hardened with proper patch management, enforcement of least privilege, reliable endpoint detection, and offline or immutable backups to reduce the chance of reinfection.
Finally, victims should avoid paying the attackers as their first option; instead, legal and professional counsel should be consulted to determine the safest course of action.
Frequently Asked Questions
Jokdach is a type of crypto-ransomware that encrypts personal and organizational files, appends the .jokdach extension, and demands payment in Bitcoin for file recovery. Victims also receive a ransom note titled !!!READ_ME!!!.txt.
This ransomware is typically distributed via malicious email attachments, pirated software, drive-by downloads, and compromised websites. It may also exploit unpatched vulnerabilities in operating systems or third-party applications.
Recovery is possible without paying, but it depends on several factors. If you have offline backups, you can restore files. Some victims may recover data from shadow copies or through professional recovery services. However, currently there is no free public decryptor for Jokdach.
Paying the ransom is strongly discouraged. Cybercriminals do not guarantee file recovery after payment, and paying only fuels further attacks. Instead, focus on isolation, cleanup, and using professional recovery solutions.
The first step is to disconnect the device from all networks. Then, use reputable antivirus or anti-malware solutions to scan and remove the ransomware. A full system reinstallation may be necessary for complete assurance that no malicious code remains.
In addition to file encryption, Jokdach infections may deliver secondary payloads such as credential stealers, trojans, or remote access tools. This could compromise sensitive data and allow attackers persistent access to the system.
Keep your operating system and applications updated, run endpoint detection and response (EDR) tools, maintain immutable/offline backups, and educate employees on phishing risks. Avoid downloading software from unverified sources.
Yes, paid professional decryptors are available through security vendors and recovery firms. Our Jokdach Decryptor supports both online and offline modes of recovery, with expert support to guide the process securely.
Yes, if cloud folders or mapped network drives are accessible at the time of infection, they can also be encrypted. This is why having offline backups or cloud backups with versioning is critical.
Organizations should deploy SIEM/EDR solutions capable of detecting the IOCs and TTPs of Jokdach. Monitoring for sudden spikes in file renaming, suspicious outbound connections, or the creation of ransom notes can provide early detection.
Introduction Weyhro ransomware has become every IT professional’s nightmare. This nasty piece of malware sneaks into systems, locks up your most important files, and then has the audacity to demand payment to give them back. What’s worse? These attacks keep getting smarter and more aggressive, making data recovery feel like an impossible task for both…
Devicdata ransomware has emerged as a significant threat in the cybersecurity landscape, infiltrating systems, encrypting vital files, and demanding ransom payments. As the frequency and sophistication of these attacks escalate, individuals and organizations are left grappling with the daunting task of data recovery. Our tool Devicdata Decryptor operates by identifying the encryption algorithms used by…
Introduction Hunters International ransomware has become a great cybersecurity challenge that has been breaching systems, encrypting important data, and pressuring victims for ransom. As these attacks become more common, recovering encrypted data has become an increasingly complex challenge for individuals and organizations alike. This guide delves into the nature of Hunters International ransomware, its devastating…
Overview Veluth ransomware has emerged as a formidable cyber menace, penetrating systems, encrypting crucial data, and coercing victims with ransom demands. With its techniques growing more refined and widespread, retrieving locked data remains a challenging ordeal. This article delves deep into the mechanics of Veluth ransomware, its devastating impact, and available data recovery solutions. Related…
First Identified and Origin Detected in November 2024, BlackNevas—also called “Trial Recovery”—is a variant of the Trigona ransomware family. It prioritizes extortion over public exposure, frequently partnering with other groups like DragonForce and Blackout to publish stolen data. Related article: How to Remove Pear Ransomware and Restore .pear Encrypted Files? What to Do Immediately After…
Overview SafeLocker ransomware has quickly become a formidable menace in the realm of cybersecurity. With the ability to compromise systems, encrypt essential files, and coerce victims into paying hefty ransoms, it poses a severe risk to both enterprises and individuals. As these attacks grow more complex and frequent, data recovery becomes an urgent and intricate…
