Remove CryptoCat Ransomware and Restore .cryptocat Files - How to, Technology and PC Security Forum |

Remove CryptoCat Ransomware and Restore .cryptocat Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

cryptocat-source-pinterestA ransomware virus using .cryptocat as a file extension after it encodes the files of affected users with a strong RSA-2048 algorithm has been detected. The virus also leaves a ransom note in a “Your files are locked !.txt” file, asking victims to contact or in order to receive instructions on how to pay the hefty sum of 1.45 BTC to get the files back. To anyone who has been infected by this ransomware virus, researchers strongly advise not to make any payoff to the cyber-criminals and wait for a decryption solution to be released. In the meantime, we urge you to remove CryptoCat ransomware and try alternative methods to restore your files, like the ones in the instructions below.

Threat Summary



Short DescriptionThe malware encrypts users files using RSA-2048 encryption which is military grade. It asks for the sum of 1.45 BTC for their decryption..
SymptomsCryptocat ads its distinctive .cryptocat file extension and leaves a Your files are locked !.txt file with instructions on how to pay the ransom.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by CryptoCat


Malware Removal Tool

User ExperienceJoin our forum to Discuss CryptoCat Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

CryptoCat Ransomware – How It Spreads

For it to replicate, CryptoCat acts just like a real cat – it hunts and waits for it’s victims to open it’s malicious e-mail attachments or files. As soon as the user opens them, the malware may execute a drive-by-download of a malicious file and it’s may start it automatically on the user PC to begin encrypting files. Not only this, but the virus may also use a combination of tools that ensure a successful infection takes place:

  • Malware obfuscators otherwise known as cryptors that hide the malicious file from real-time shields. Expensive to buy but worth it for crooks.
  • Exploit kits that take advantage of Windows exploits to cause a successful infection.
  • JavaScript files that may cause a file-less infection.

  • SpamBots to quickly spread spam web links or malicious e-mail attachments.

The spam messages that may spread CryptoCat may be of various character. They usually aim to fool users that the URL or the attachment is important. Topics may include:

  • “Invoice.”
  • “Confirmation letter for purchase.”
  • “Add me in your LinkedIn network.”

Users should use e-mail services with advanced spam filters and always check the attachments and URLs if they believe they are suspicious before opening them.

CryptoCat Ransomware – More Information

When it has been executed on your computer, the CryptoCat virus may drop several files in the following Windows folders:

→ %AppData%
%System Drive%

Since the virus is believed to be a variant of another ransomware project, called PClock, it may create the following files as well:

→ %AppData%\WinDsk\windsk.exe

The files may have different names than Windsk. The virus may also create files on the %Desktop%, like the following:

→ CryptoCat.lnk

This file may lead the user to a payment page for the ransom.

In addition to this, the CryptoCat virus may modify the following Windows key to make the malicious files of CryptoCat run on Windows startup:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

The CryptoCat ransomware scans for files that are often used, but similar to PClock it may also be pre-programmed to encrypt files with the following file extensions:

→ .3fr, .accdb, .ai, .arw, .bay, .cdr, .cer, .cr2, .crt, .crw, .h, .dbf, .dcr, .der, .dng, .doc, .docm, .docx, .dwg, .dxf, .dxg, .eps, .erf, .indd, .jpe, .jpg, .kdc, .mdb, .mdf, .mef, .mrw, .nef, .nrw, .odb, .odm, .odp, .ods, .odt, .orf, .p12, .p7b, .p7c, .pdd, .pef, .pem, .pfx, .ppt, .pptm, .pptx, .psd, .pst, .ptx, .r3d, .raf, .raw, .rtf, .rw2, .rwl, .srf, .srw, .wb2, .wpd, .wps, .xlk, .xls, .xlsb, .xlsm, .xlsx

After file encryption, the CryptoCat ransomware may change the wallpaper of the user to a wallpaper with a cat and along it the ransom note of CryptoCat may appear, with instructions to open the .lnk file.

The CryptoCat virus also gives a deadline to pay the ransom money and if it is not met, the virus or the cyber-criminals may destroy the decryption keys permanently and make the decryption irreversible.

After encryption CryptoCat adds the following ransom note:

CryptoCat Ransomware's note

Support e-mail:
Your personal files encryption produced on this computer: photos, videos, documents, etc.
Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow to decrypt the files,
located on a secret server on the Internet; the server will destroy the key after 168 hours.
After that nobody and never will be able to restore files.
To obtain the private key for this computer, you need pay 1.45 Bitcoin (~611 USD)
Your Bitcoin address:
You must send 1.45 Bitcoin to the specified address and report it to e-mail customer support.
In the letter must specify your Bitcoin address to which the payment was made.
The most convenient tool for buying Bitcoins in our opinion is the site:
There you can buy Bitcoins in your country in any way you like, including electronic payment systems,
credit and debit cards, money orders, and others.
Instructions for purchasing Bitcoins on account read here:
Video tutorial detailing on buying Bitcoins using the site here:
How to withdraw Bitcoins from account to our bitcoin wallet:
Also you can use to buy Bitcoins these sites:

CryptoCat – Conclusion, Removal and File Restoration

CryptoCat is a virus that uses various ciphers to scamble your files. Given the fact that it also gives a deadline to pay the ransom makes it almost imperative to remove this virus straight away.

To remove CryptoCat ransomware, please do not hesitate to follow the removal instructions posted after this article. They will help you effectively delete this ransomware from your PC. In case you are having difficulties in deleting CryptoCat from your computer manually, the best method according to researchers is automatically scanning your computer using an advanced anti-malware program to delete the ransomware.

To restore your files, we advise you to back them up first and wait for a free decryptor to be released sooner or later. In the meantime you may want to try using the alternative methods of step “3. Restore files encrypted by CryptoCat.” Below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share