Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove CryptoCat Ransomware and Restore .cryptocat Files

cryptocat-source-pinterestA ransomware virus using .cryptocat as a file extension after it encodes the files of affected users with a strong RSA-2048 algorithm has been detected. The virus also leaves a ransom note in a “Your files are locked !.txt” file, asking victims to contact [email protected] or [email protected] in order to receive instructions on how to pay the hefty sum of 1.45 BTC to get the files back. To anyone who has been infected by this ransomware virus, researchers strongly advise not to make any payoff to the cyber-criminals and wait for a decryption solution to be released. In the meantime, we urge you to remove CryptoCat ransomware and try alternative methods to restore your files, like the ones in the instructions below.

Threat Summary

Name

CryptoCat

TypeRansomware
Short DescriptionThe malware encrypts users files using RSA-2048 encryption which is military grade. It asks for the sum of 1.45 BTC for their decryption..
SymptomsCryptocat ads its distinctive .cryptocat file extension and leaves a Your files are locked !.txt file with instructions on how to pay the ransom.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by CryptoCat

Download

Malware Removal Tool

User ExperienceJoin our forum to Discuss CryptoCat Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoCat Ransomware – How It Spreads

For it to replicate, CryptoCat acts just like a real cat – it hunts and waits for it’s victims to open it’s malicious e-mail attachments or files. As soon as the user opens them, the malware may execute a drive-by-download of a malicious file and it’s may start it automatically on the user PC to begin encrypting files. Not only this, but the virus may also use a combination of tools that ensure a successful infection takes place:

  • Malware obfuscators otherwise known as cryptors that hide the malicious file from real-time shields. Expensive to buy but worth it for crooks.
  • Exploit kits that take advantage of Windows exploits to cause a successful infection.
  • JavaScript files that may cause a file-less infection.

  • SpamBots to quickly spread spam web links or malicious e-mail attachments.

The spam messages that may spread CryptoCat may be of various character. They usually aim to fool users that the URL or the attachment is important. Topics may include:

  • “Invoice.”
  • “Confirmation letter for purchase.”
  • “Add me in your LinkedIn network.”

Users should use e-mail services with advanced spam filters and always check the attachments and URLs if they believe they are suspicious before opening them.

CryptoCat Ransomware – More Information

When it has been executed on your computer, the CryptoCat virus may drop several files in the following Windows folders:

→ %AppData%
%System Drive%
%Temp%
%System32%
%Roaming%
%Local%

Since the virus is believed to be a variant of another ransomware project, called PClock, it may create the following files as well:

→ %AppData%\WinDsk\windsk.exe
%AppData%\WinDsk\windkwp.jpg

The files may have different names than Windsk. The virus may also create files on the %Desktop%, like the following:

→ CryptoCat.lnk

This file may lead the user to a payment page for the ransom.

In addition to this, the CryptoCat virus may modify the following Windows key to make the malicious files of CryptoCat run on Windows startup:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

The CryptoCat ransomware scans for files that are often used, but similar to PClock it may also be pre-programmed to encrypt files with the following file extensions:

→ .3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .h, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx Source:kb.wisc.edu

After file encryption, the CryptoCat ransomware may change the wallpaper of the user to a wallpaper with a cat and along it the ransom note of CryptoCat may appear, with instructions to open the .lnk file.

The CryptoCat virus also gives a deadline to pay the ransom money and if it is not met, the virus or the cyber-criminals may destroy the decryption keys permanently and make the decryption irreversible.

After encryption CryptoCat adds the following ransom note:

CryptoCat Ransomware's note

CryptoCat – Conclusion, Removal and File Restoration

CryptoCat is a virus that uses various ciphers to scamble your files. Given the fact that it also gives a deadline to pay the ransom makes it almost imperative to remove this virus straight away.

To remove CryptoCat ransomware, please do not hesitate to follow the removal instructions posted after this article. They will help you effectively delete this ransomware from your PC. In case you are having difficulties in deleting CryptoCat from your computer manually, the best method according to researchers is automatically scanning your computer using an advanced anti-malware program to delete the ransomware.

To restore your files, we advise you to back them up first and wait for a free decryptor to be released sooner or later. In the meantime you may want to try using the alternative methods of step “3. Restore files encrypted by CryptoCat.” Below.

Manually delete CryptoCat from your computer

Note! Substantial notification about the CryptoCat threat: Manual removal of CryptoCat requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove CryptoCat files and objects.
2. Find malicious files created by CryptoCat on your PC.
3. Fix registry entries created by CryptoCat on your PC.

Automatically remove CryptoCat by downloading an advanced anti-malware program

1. Remove CryptoCat with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by CryptoCat in the future
3. Restore files encrypted by CryptoCat
Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By CryptoCat Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.