A ransomware virus using .cryptocat as a file extension after it encodes the files of affected users with a strong RSA-2048 algorithm has been detected. The virus also leaves a ransom note in a “Your files are locked !.txt” file, asking victims to contact firstname.lastname@example.org or email@example.com in order to receive instructions on how to pay the hefty sum of 1.45 BTC to get the files back. To anyone who has been infected by this ransomware virus, researchers strongly advise not to make any payoff to the cyber-criminals and wait for a decryption solution to be released. In the meantime, we urge you to remove CryptoCat ransomware and try alternative methods to restore your files, like the ones in the instructions below.
|Short Description||The malware encrypts users files using RSA-2048 encryption which is military grade. It asks for the sum of 1.45 BTC for their decryption..|
|Symptoms||Cryptocat ads its distinctive .cryptocat file extension and leaves a Your files are locked !.txt file with instructions on how to pay the ransom.|
|Detection Tool|| See If Your System Has Been Affected by CryptoCat |
Malware Removal Tool
|User Experience||Join our forum to Discuss CryptoCat Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
CryptoCat Ransomware – How It Spreads
For it to replicate, CryptoCat acts just like a real cat – it hunts and waits for it’s victims to open it’s malicious e-mail attachments or files. As soon as the user opens them, the malware may execute a drive-by-download of a malicious file and it’s may start it automatically on the user PC to begin encrypting files. Not only this, but the virus may also use a combination of tools that ensure a successful infection takes place:
- Malware obfuscators otherwise known as cryptors that hide the malicious file from real-time shields. Expensive to buy but worth it for crooks.
- Exploit kits that take advantage of Windows exploits to cause a successful infection.
SpamBots to quickly spread spam web links or malicious e-mail attachments.
The spam messages that may spread CryptoCat may be of various character. They usually aim to fool users that the URL or the attachment is important. Topics may include:
- “Confirmation letter for purchase.”
- “Add me in your LinkedIn network.”
Users should use e-mail services with advanced spam filters and always check the attachments and URLs if they believe they are suspicious before opening them.
CryptoCat Ransomware – More Information
When it has been executed on your computer, the CryptoCat virus may drop several files in the following Windows folders:
Since the virus is believed to be a variant of another ransomware project, called PClock, it may create the following files as well:
The files may have different names than Windsk. The virus may also create files on the %Desktop%, like the following:
This file may lead the user to a payment page for the ransom.
In addition to this, the CryptoCat virus may modify the following Windows key to make the malicious files of CryptoCat run on Windows startup:
The CryptoCat ransomware scans for files that are often used, but similar to PClock it may also be pre-programmed to encrypt files with the following file extensions:
→ .3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .h, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx Source:kb.wisc.edu
After file encryption, the CryptoCat ransomware may change the wallpaper of the user to a wallpaper with a cat and along it the ransom note of CryptoCat may appear, with instructions to open the .lnk file.
The CryptoCat virus also gives a deadline to pay the ransom money and if it is not met, the virus or the cyber-criminals may destroy the decryption keys permanently and make the decryption irreversible.
After encryption CryptoCat adds the following ransom note:
CryptoCat – Conclusion, Removal and File Restoration
CryptoCat is a virus that uses various ciphers to scamble your files. Given the fact that it also gives a deadline to pay the ransom makes it almost imperative to remove this virus straight away.
To remove CryptoCat ransomware, please do not hesitate to follow the removal instructions posted after this article. They will help you effectively delete this ransomware from your PC. In case you are having difficulties in deleting CryptoCat from your computer manually, the best method according to researchers is automatically scanning your computer using an advanced anti-malware program to delete the ransomware.
To restore your files, we advise you to back them up first and wait for a free decryptor to be released sooner or later. In the meantime you may want to try using the alternative methods of step “3. Restore files encrypted by CryptoCat.” Below.