Ctpl Ransomware

The Ctpl Ransomware is a new malware threat that aims to infect user's computers, initiate an encryption process and lock the files stored there. As a result, victims will no longer be able to open or use their private or work-related files, including PDFs, photos, images, audio and video files, databases, MS Office docs, archives, etc. All affected users will then be extorted for money in exchange for the potential restoration of the locked data.

Analysis has revealed that the Ctpl Ransomware is part of the prolific Dharma Ransomware family. Indeed, the threat appears to be yet another variant that doesn't deviate too much from the typical Dharma variants' behavior. Every encrypted file will have its original name modified significantly. The threat will append a unique ID string, an email address and a new file extension. The email address used by the Ctpl Ransomware is 'catapultacrypt@tuta.io' while the file extension is '.cptl.' After completing its encryption routine, the threat will proceed to drop its ransom note. As most Dharma variants, the Ctpl Ransomware also creates two different notes - the main set of instructions will be presented in a pop-up window while a shortened version will be contained inside text files named 'MANUAL.txt.'

Users who open the text files will find just a couple of sentences that inform them about the encryption of their files and point towards establishing contact with the hackers through two email addresses - 'catapultacrypt@tuta.io' and 'catapultacrypt@cock.li.' The message in the pop-up window clarifies that the secondary email should only be used if victims do not receive a response within 12 hours after contacting the primary addresses. Neither note provides any details about the amount of the ransom demanded by the hackers.

In general, it is never a good idea to enter into negotiations with people responsible for unleashing malware threats. There are no guarantees that they will send the required decryption key and software even after receiving the money.

The full text of the Ctpl Ransomware's note is:

'YOUR FILES ARE ENCRYPTED

Don't worry,you can return all your files!

If you want to restore them, write to the mail: catapultacrypt@tuta.io YOUR ID -

If you have not answered by mail within 12 hours, write to us by another mail:catapultacrypt@cock.li

!ATTENTION!

We recommend you contact us directly to avoid overpaying agents

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

The instructions delivered in the text files are:

all your data has been locked us

You want to return?

write email catapultacrypt@tuta.io or catapultacrypt@cock.li.'