Katafrack Ransomware

The Katafrack Ransomware is a file encoder Trojan that was discovered on November 21st, 2017. The threat is identified as a variant of the Ordinal Ransomware, which was added to databases on October 20th, 2017. It appears the Ordinal team continues to use the HiddenTear Ransomware builder to deploy new versions of their product. The threat at hand features slight modifications compared to its predecessor, but the payload is distributed the same way - spam emails and macro-enabled text files.
 
Cybersecurity analysts reported that the Katafrack Ransomware supports all features present in HT-based crypto malware such as the Comrade HT Ransomware and the Skull HT Ransomware. The Katafrack Ransomware is programmed to apply a personalized AES cipher to the user's data and make it unreadable so that you need to decrypt it first. Unfortunately, the Katafrack Ransomware Trojan erases the content of the vault where Windows keeps copies of your data in case you need to recover lost files. Hence, infected users may find that it is impossible to recover from the attack using the native restoration features in the latest Windows versions. The Katafrack Ransomware is known to drop a file named 'READ-ME-TO-GET-YOUR-FILES-BACK.txt' on the desktop that reads:
 
'Your files have been encrypted by Ordinal Ransomware
Below is the information you will need to decrypt your files
After that, you'll be able to see your beloved files again.
Email: OrdinalScale@protonmail.com
BTC Address: 1HMnuFLBUex2ykPMFtVs7cnP8aENbwyGjJ
ETH Address 0x06394880c86383eccFbf27788D578C46ed562526
Amount To Send: 0.02 BTC
Identification:ED5E41963F4264302747C645290BA858'
 
However, the customization process seems rushed  since infected users have reported that the Trojan generates another ransom message as a desktop background image, which reads:
 
'KATAFRACK RANSOMWARE
Follow the instructions to unlock your data
YOU FILES ARE ENCRYPTED
All your files have been encrypted with AES-256 Military Grade Encryption
INSTRUCTIONS
Your files have been encrypted, the only way to recover your files is to pay the fee.
Once you have paid the fee all your files will be decrypted and return to normal.
Send the required fee (found below) to the Bitcoin address (found below). Once you have sent the required fee to the Bitcoin address send an email with your Identification key (without this we cant help you). It may take 12-24 hours for us to respond. You will recive a Decryption Program + Decryption Key. Ethereum is also accepted.
WHAT NOT TO DO
DO NOT RESTARTAURN OFF YOUR COMPUTER
DO NOT ATTEMPT TO RECOVER THE FILES YOUR SELF
DO NOT CLOSE THIS PROGRAM
DECRYPTION KEY WILL BE DELETED FROM OUR SERVERS IN 7 DAYS FROM TODAY
Bitcoin Address: 1HMnuFLBUex2ykPMFtVs7cnP8aENbwyGjJ
Ethereum Address: 0x06394880c86383eccFbf27788D578C46ed562526
Identification: [EDITED]
Amount To Send: 0.02 BTC
Contact: OrdinalScale@protonmoil.com
Check Desktop For READ-ME-TO-GET-YOUR-FILES-BACK.txt File'
 
Apart from the Katafrack Ransomware, there is only one other encryption Trojan that asks for Etherium digital cryptocurrency, and that is the EnCrypt Ransomware. The ETH digital currency may not be as popular as Bitcoin and Monero, but it boasts stable prices and dedicated community. We are not sure why the Ordinal threat actors ask for ETH, but you should not give them what they want. You can rebuild your data by loading backup images and system recovery disks. It can relatively easy to recover if you have copies of your files stored in the cloud as well. Malware researchers alert that it is best to remove threats like the Katafrack Ransomware using a reputable security scanner. AV engines use the following detection names regarding the Katafrack Ransomware:

• Ransom_KATAFRACK.A
• Trojan ( 0050ac851 )
• Trojan.Ransom.Katafrack
• Trojan.RansomKD.12592691
• Trojan.Win32.Z.Hiddentear.513024
• Win32.Trojan.Generic.Szuv
• malicious_confidence_100% (W)

SpyHunter Detects & Remove Katafrack Ransomware