Kashima Ransomware
At its core, the Kashima threat is still classified as ransomware. It is equipped with an encryption routine that uses an uncrackable cryptographic algorithm to lock the files of its victims. However, taking a close look at the code of this malware and its exact behavior reveals multiple peculiar characteristics.
Instead of trying to affect as large a number of file types as possible, the threat is designed to focus on several file extensions - '.cfg,' '.congif,' '.js,' '.NOOB,' '.lua,' '.lw,' and '.trym' specifically. Each encrypted file will have '.KASHIMA' appended to its original name. After the threat has processed all targeted files, it will generate a new pop-up window with instructions for its victim.
Ransom Note's Details
The ransom-demanding message of the Kashima Ransomware also deviates from the standard ransom notes observed in other ransomware threats. Victims of this particular malware are not provided with any way to contact the attackers. Furthermore, although the note talks about the encryption of the user's data, it doesn't mention any demands for the victims having to pay a ransom to get their files back.
What the note does state is that the victims of the Kashima Ransomware will be able to restore their files by buying and running an application called Nixware loader. This appears to be a paid cheat engine for online games, such as Counter-Strike: Global Offensive. As a consequence, it appears that the goal of the attackers is to use the ransomware threat to boost the sales of this particular cheating tool.
The fool text of the note left by Kashima Ransomware is:
'KashimaWare WARNING!
WARNING!
Your cfgs have been encrypted by Kashima!
What the HELL is it?
Practice cruiser "Kashima" encrypted your f**king cfg and js. it can't be recovered without this application because they are encrypted with highly strong encryption algorithm, using random key.
How can I recover my cfg
That's easy. You just have to running Nixware loader. this application will detect the process automatically. DO NOT TRY USING FAKE EXE OR TEMRINATE THIS APPLICATION IF YOU DON'T WANT TO BLOW UP THE ENCRYPTION KEY!
Status
Loader Process Status : Not Found
Decryption :Not Approved!'
