What is Katyusha ransomware? And how does it execute its attack?
Katyusha Ransomware is another file-encrypting virus discovered recently. Just like other typical ransomware threats, this new one follows the same sequence in executing its attack. First, it drops a payload file in the system which is the one that connects the system to a C&C server. From there, it downloads its malicious components and puts them into system folders.
After the infiltration, Katyusha ransomware will begin to make some adjustments in some settings in the system. It modifies registry entries and keys as well as creates new ones in the Windows Registry which allows it to achieve persistence in its attack. It also uses a data gathering module to harvest information in the system. The harvested data is then used along with some malicious components for the stealth protection module which prevents any antivirus or security programs from interfering with the attack. Once all the system changes are applied, it starts the encryption process by encrypting its targeted files and once it’s done, it appends .katyusha extension to every encrypted file and drops a file named “_how_to_decrypt_you_files.txt” which contains the following message:
“=====================================HOW TO DECRYPT YOU FILES====================================
All your documents, photos, databases, and other important personal files were encrypted!!
Please send 0.5 bitcoins to my wallet address: 3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK
If you paid, send the ID and IDKEY to my email: [email protected]
I will give you the key and tool
If there is no payment within three days
we will no longer support decryption
If you exceed the payment time, your data will be open to the public download
We support decrypting the test file.
Send two small than 2 MB files to the email address: [email protected]
Your ID:[redacted 8 numbers]
Your IDKEY:
================================================
[redacted 0x100 bytes in base64]
================================================
Payment site https://www.bithumb.com/
Payment site http://www.coinone.com/
Payment site https://www.gopax.co.kr/
Payment site http://www.localbitcoins.com/
Official Mail:[email protected]”
As you can see, crooks try to lure users into paying the ransom by supposedly allowing them to restore two small encrypted files that are less than 2MB in size. However, no matter how believable the ransom note maybe, you must not, in any way, reach out to these crooks and pay the 0.5 Bitocin ransom as they will only trick you in the end. It would be best if you focus on obliterating this crypto-malware from your system as well as try alternative methods in restoring your files without having to pay the ransom.
How does Katyusha ransomware proliferate?
Although the distribution of this threat is relatively low, it can still reach your computer in the form of an attachment from your email. Usually, crooks attach the malicious payload of the ransomware to spam emails. They also tend to disguise such malware-laden emails to make sure users get to open the attachment. They usually put attention-seeking subjects like receipts, invoices, bank statements, and so on. Thus, you need to double-check emails first before you open them to avoid crypto-malware threats like Katyusha ransomware.
Follow the removal guide given below to kill Katyusha ransomware.
Step_1: Tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step_2: Go to the Processes tab and look for the malicious processes of Katyusha ransomware and then right-click on it and select End Process or End Task.
Step_3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in “appwiz.cpl” and then click OK or press Enter.
Step_4: Look for dubious programs that might be related to Katyusha ransomware and then Uninstall it/them.
Step_5: Close Control Panel and then tap Win + E to launch File Explorer.
Step_6: After opening File Explorer, navigate to the following directories below and look for Katyusha ransomware’s malicious components such as _how_to_decrypt_you_files.txt, [random].exe, and other suspicious-looking files and then erase them all.
- %TEMP%
- %APPDATA%
- %DESKTOP%
- %USERPROFILE%\Downloads
- C:\ProgramData\local\
Step_7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech-savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you trouble and time, you can just use Restoro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step_8: Tap Win + R to open Run and then type in Regedit in the field and tap enter to pull up Windows Registry.
Step_9: Navigate to the listed paths below and look for the registry keys and sub-keys created by Katyusha ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step_10: Delete the registry keys and sub-keys created by Katyusha ransomware.
Step_11: Close the Registry Editor.
Step_12: Empty your Recycle Bin.
Try to recover your encrypted files using their Shadow Volume copies
Restoring your encrypted files using Windows Previous Versions feature will only be effective if Katyusha ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Congratulations, you have just removed Katyusha Ransomware in Windows 10 all by yourself. If you would like to read more helpful articles and tips about various software and hardware visit fixmypcfree.com daily.
Now that’s how you remove Katyusha Ransomware in Windows 10 on a computer. On the other hand, if your computer is going through some system-related issues that have to get fixed, there is a one-click solution known as Restoro you could check out to resolve them.
This program is a useful tool that could repair corrupted registries and optimize your PC’s overall performance. Aside from that, it also cleans out your computer for any junk or corrupted files that help you eliminate any unwanted files from your system. This is basically a solution that’s within your grasp with just a click. It’s easy to use as it is user-friendly. For a complete set of instructions in downloading and using it, refer to the steps below
Perform a full system scan using Restoro. To do so, follow the instructions below.