What is Katafrack ransomware? And how does it carry out its attack?
Katafrack ransomware is a crypto-malware found to be an updated variant of the Ordinal ransomware which was discovered on October 2017. This new version of Ordinal ransowmare is still based on the open source platform, Hidden Tear. It features some slight modifications compared to its predecessor but it still spreads the same way. According to experts it could encrypt files with the following formats:
txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp
Once it finds the files it seeks to encrypt it uses a personalized AES cipher on its encryption process to make the files unreadable. Following the encryption, Katafrack ransomware also deletes the shadow volume copies of the files so that its victims won’t be able to recover them using the Windows Previous Version feature. After that, it drops a text file in the desktop named READ-ME-TO-GET-YOUR-FILES-BACK.txt that reads:
“Your files have been encrypted by Katafrack Ransomware
Below is the information you will need to decrypt your files
After that, you’ll be able to see your beloved files again.
Email: [email protected]
BTC Address: 1HMnuFLBUex2ykPMFtVs7cnP8aENbwyGjJ
ETH Address 0x06394880c86383eccFbf27788D578C46ed562526
Amount To Send: 0.02 BTC
Identification:ED5E41963F4264302747C645290BA8”
Moreover, it also changes the desktop wallpaper of the infected computer. The image may have a green or red background although it contains the same message such as:
“KATAFRACK RANSOMWARE
Follow the instructions to unlock your data
YOU FILES ARE ENCRYPTED
All your files have been encrypted with AES-256 Military Grade Encryption
INSTRUCTIONS
Your files have been encrypted, the only way to recover your files is to pay the fee.
Once you have paid the fee all your files will be decrypted and return to normal.
Send the required fee (found below) to the Bitcoin address (found below). Once you have sent the required fee to the Bitcoin address send an email with your Identification key (without this we cant help you). It may take 12-24 hours for us to respond. You will recive a Decryption Program + Decryption Key. Ethereum is also accepted.
WHAT NOT TO DO
DO NOT RESTARTAURN OFF YOUR COMPUTER
DO NOT ATTEMPT TO RECOVER THE FILES YOUR SELF
DO NOT CLOSE THIS PROGRAM
DECRYPTION KEY WILL BE DELETED FROM OUR SERVERS IN 7 DAYS FROM TODAY
Bitcoin Address: 1HMnuFLBUex2ykPMFtVs7cnP8aENbwyGjJ
Ethereum Address: 0x06394880c86383eccFbf27788D578C46ed562526
Identification: [EDITED]
Amount To Send: 0.02 BTC
Contact: [email protected]
Check Desktop For READ-ME-TO-GET-YOUR-FILES-BACK.txt File”
In its ransom note, Katafrack ransomware mentions that they will respond within 12-24 hours once you contact them on the email address given which is at [email protected]. However, you should know better than to believe what these crooks are saying as they are not exactly known in keeping their promises. So it would only be a waste of time and money. As of now, there is still no free decryption tool available so you have to use any backup copies of the affected files that you have and wait until security experts are able to come up with a free decryption tool.
How does Katafrack ransomware proliferate?
Just like Ordinal ransomware, Katafrack ransomware spreads using malicious spam emails that contains corrupted attachment. These attachments are usually documents that are macro-enabled. Once you open the macro-enabled document, Katafrack ransomware will be installed on your computer right away which is why you must refrain from opening emails especially the suspicious-looking ones. Not even when you get an email saying you’ve won some sort of prize as cyber criminals use different tricks just to lure users into opening the email and the attachment.
To eliminate Katafrack ransomware, make sure the you complete the set of instructions given below as well as the advanced steps that comes afterwards.
Step 1: Tap Ctrl + Shift + Esc to open the Task Manger.
Step 2: Once you’ve opened the Task Manager, go to the Processes tab and look for main.exe and end its process by clicking on End Task or End Process.
Step 3: Open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for Katafrack Ransomware or any suspicious program and then Uninstall it/them.
Step 5: Tap Win + E keys to launch File Explorer.
Step 6: Navigate to the following locations below and look for Katafrack ransomware’s malicious components such as main.exe and the macro-enabled document it came with as well as other suspicious files and then delete all of them.
- %TEMP%
- %APPDATA%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 7: Close the File Explorer. Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the following path:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Step 10: Delete the registry keys and sub-keys created by Katafrack ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty all the contents in your Recycle Bin.
To make sure that nothing is left behind and that the Katafrack is completely removed, use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. Installation will start automatically once download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.