A ransomware virus using .cryptocat as a file extension after it encodes the files of affected users with a strong RSA-2048 algorithm has been detected. The virus also leaves a ransom note in a “Your files are locked !.txt” file, asking victims to contact email@example.com or firstname.lastname@example.org in order to receive instructions on how to pay the hefty sum of 1.45 BTC to get the files back. To anyone who has been infected by this ransomware virus, researchers strongly advise not to make any payoff to the cyber-criminals and wait for a decryption solution to be released. In the meantime, we urge you to remove CryptoCat ransomware and try alternative methods to restore your files, like the ones in the instructions below.
|Short Description||The malware encrypts users files using RSA-2048 encryption which is military grade. It asks for the sum of 1.45 BTC for their decryption..|
|Symptoms||Cryptocat ads its distinctive .cryptocat file extension and leaves a Your files are locked !.txt file with instructions on how to pay the ransom.|
|Detection Tool|| See If Your System Has Been Affected by malware |
Malware Removal Tool
|User Experience||Join our forum to Discuss CryptoCat Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CryptoCat Ransomware – How It Spreads
For it to replicate, CryptoCat acts just like a real cat – it hunts and waits for it’s victims to open it’s malicious e-mail attachments or files. As soon as the user opens them, the malware may execute a drive-by-download of a malicious file and it’s may start it automatically on the user PC to begin encrypting files. Not only this, but the virus may also use a combination of tools that ensure a successful infection takes place:
- Malware obfuscators otherwise known as cryptors that hide the malicious file from real-time shields. Expensive to buy but worth it for crooks.
- Exploit kits that take advantage of Windows exploits to cause a successful infection.
SpamBots to quickly spread spam web links or malicious e-mail attachments.
The spam messages that may spread CryptoCat may be of various character. They usually aim to fool users that the URL or the attachment is important. Topics may include:
- “Confirmation letter for purchase.”
- “Add me in your LinkedIn network.”
Users should use e-mail services with advanced spam filters and always check the attachments and URLs if they believe they are suspicious before opening them.
CryptoCat Ransomware – More Information
When it has been executed on your computer, the CryptoCat virus may drop several files in the following Windows folders:
Since the virus is believed to be a variant of another ransomware project, called PClock, it may create the following files as well:
The files may have different names than Windsk. The virus may also create files on the %Desktop%, like the following:
This file may lead the user to a payment page for the ransom.
In addition to this, the CryptoCat virus may modify the following Windows key to make the malicious files of CryptoCat run on Windows startup:
The CryptoCat ransomware scans for files that are often used, but similar to PClock it may also be pre-programmed to encrypt files with the following file extensions:
→ .3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .h, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx Source:kb.wisc.edu
After file encryption, the CryptoCat ransomware may change the wallpaper of the user to a wallpaper with a cat and along it the ransom note of CryptoCat may appear, with instructions to open the .lnk file.
The CryptoCat virus also gives a deadline to pay the ransom money and if it is not met, the virus or the cyber-criminals may destroy the decryption keys permanently and make the decryption irreversible.
After encryption CryptoCat adds the following ransom note:
CryptoCat – Conclusion, Removal and File Restoration
CryptoCat is a virus that uses various ciphers to scamble your files. Given the fact that it also gives a deadline to pay the ransom makes it almost imperative to remove this virus straight away.
To remove CryptoCat ransomware, please do not hesitate to follow the removal instructions posted after this article. They will help you effectively delete this ransomware from your PC. In case you are having difficulties in deleting CryptoCat from your computer manually, the best method according to researchers is automatically scanning your computer using an advanced anti-malware program to delete the ransomware.
To restore your files, we advise you to back them up first and wait for a free decryptor to be released sooner or later. In the meantime you may want to try using the alternative methods of step “3. Restore files encrypted by CryptoCat.” Below.
- Guide 1: How to Remove CryptoCat from Windows.
- Guide 2: Get rid of CryptoCat from Mac OS X.
- Guide 3: Remove CryptoCat from Google Chrome.
- Guide 4: Erase CryptoCat from Mozilla Firefox.
- Guide 5: Uninstall CryptoCat from Microsoft Edge.
- Guide 6: Remove CryptoCat from Safari.
- Guide 7: Eliminate CryptoCat from Internet Explorer.
How to Remove CryptoCat from Windows.
Step 1: Boot Your PC In Safe Mode to isolate and remove CryptoCat
Step 2: Uninstall CryptoCat and related software from Windows
Step 3: Clean any registries, created by CryptoCat on your computer.
The usually targeted registries of Windows machines are the following:
You can access them by opening the Windows registry editor and deleting any values, created by CryptoCat there. This can happen by following the steps underneath:
Get rid of CryptoCat from Mac OS X.
Step 1: Uninstall CryptoCat and remove related files and objects
1. Hit the ⇧+⌘+U keys to open Utilities. Another way is to click on “Go” and then click “Utilities”, like the image below shows:
- Go to Finder.
- In the search bar type the name of the app that you want to remove.
- If all of the files are related, hold the ⌘+A buttons to select them and then drive them to “Trash”.
In case you cannot remove CryptoCat via Step 1 above:
You can repeat the same procedure with the following other Library directories:
Tip: ~ is there on purpose, because it leads to more LaunchAgents.
Step 2: Scan for and remove malware from your Mac
When you are facing problems on your Mac as a result of unwanted scripts, programs and malware, the recommended way of eliminating the threat is by using an anti-malware program. Combo Cleaner offers advanced security features along with other modules that will improve your Mac’s security and protect it in the future.
Remove CryptoCat from Google Chrome.
Step 1: Start Google Chrome and open the drop menu
Step 2: Move the cursor over "Tools" and then from the extended menu choose "Extensions"
Step 3: From the opened "Extensions" menu locate the unwanted extension and click on its "Remove" button.
Step 4: After the extension is removed, restart Google Chrome by closing it from the red "X" button at the top right corner and start it again.
Erase CryptoCat from Mozilla Firefox.
Step 1: Start Mozilla Firefox. Open the menu window
Step 2: Select the "Add-ons" icon from the menu.
Step 3: Select the unwanted extension and click "Remove"
Step 4: After the extension is removed, restart Mozilla Firefox by closing it from the red "X" button at the top right corner and start it again.
Uninstall CryptoCat from Microsoft Edge.
Step 1: Start Edge browser.
Step 2: Open the drop menu by clicking on the icon at the top right corner.
Step 3: From the drop menu select "Extensions".
Step 4: Choose the suspected malicious extension you want to remove and then click on the gear icon.
Step 5: Remove the malicious extension by scrolling down and then clicking on Uninstall.
Remove CryptoCat from Safari.
Step 1: Start the Safari app.
Step 2: After hovering your mouse cursor to the top of the screen, click on the Safari text to open its drop down menu.
Step 3: From the menu, click on "Preferences".
Step 4: After that, select the 'Extensions' Tab.
Step 5: Click once on the extension you want to remove.
Step 6: Click 'Uninstall'.
A pop-up window will appear asking for confirmation to uninstall the extension. Select 'Uninstall' again, and the CryptoCat will be removed.
Eliminate CryptoCat from Internet Explorer.
Step 1: Start Internet Explorer.
Step 2: Click on the gear icon labeled 'Tools' to open the drop menu and select 'Manage Add-ons'
Step 3: In the 'Manage Add-ons' window.
Step 4: Select the extension you want to remove and then click 'Disable'. A pop-up window will appear to inform you that you are about to disable the selected extension, and some more add-ons might be disabled as well. Leave all the boxes checked, and click 'Disable'.
Step 5: After the unwanted extension has been removed, restart Internet Explorer by closing it from the red 'X' button located at the top right corner and start it again.