CashCat Ransomware

The CashCat Ransomware is a prank ransomware Trojan that was first released on December 3, 2018. The CashCat Ransomware is available on GitHub for public use and is listed as a 'ransomware simulator.' The purpose of the CashCat Ransomware is to pretend to be a ransomware Trojan, possibly as part of a prank. Lee Ber, the author of the CashCat Ransomware, has given the following description of the threat on its project page:

'A little windows ransomware simulator that will rename .TXT files to .LOCKY to simulate ransomware behavior for testing various monitoring tools'

The Cat that is After Your Cash

The CashCat Ransomware, unlike real encryption ransomware Trojans, is not capable of encrypting data. The CashCat Ransomware is a simple program that simply searches for files with the .TXT extension and, as its description mentions, renames them so that they will have the '.LOCKY' extension instead. This extension has been used by real encryption ransomware Trojans before. The CashCat Ransomware will change the infected computer's desktop picture into a picture of a cat surrounded with images of money after renaming the victim's files. This image has been linked to the website cashcats.biz, which depicts pictures of cats with numerous pictures of cash, guns, jewels and other items. It is clear that the CashCat Ransomware is meant to be used as a prank, judging from the Github project page and other aspects of the CashCat Ransomware particularly. However, it would not be difficult to use the freely available code associated with the CashCat Ransomware to create ransomware simulators that carry out a more serious attack. There is a disable code integrated into the CashCat Ransomware that allows computer users to return their computers to normal after the attack.

The Threats that the CashCat Ransomware Imitates

There are many aspects of the CashCat Ransomware that emulate real encryption ransomware Trojans closely. The first of these is the CashCat Ransomware's 'ransom note,' a program window that displays the following message (identical to the ransom note linked to many other encryption ransomware Trojans):

'CRYPTO HAS ENCRYPTED YOUR FILES
Your important files are not encrypted!
The lock was produced using a unique public RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. The Single copy of this private key which allow you to decrypt the files is on a secret server on the internet dark web. The server will destroy the key after a time specified in this window.
[Unlock Code Here|TEXT BOX]
[Send|BUTTON]'

Real encryption ransomware Trojans use the RSA or AES encryptions to make the victims' files inaccessible, targeting the user-generated files, which may include files with the following extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The CashCat Ransomware 'attack' targets text files with the .TXT extension merely, but to a computer user that is less experienced, the CashCat Ransomware attack can be a scary experience.