Threat Database Ransomware Katyusha Ransomware

Katyusha Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 7
First Seen: October 30, 2018
Last Seen: June 27, 2020
OS(es) Affected: Windows

The Katyusha Ransomware is an encryption ransomware Trojan that was first observed in October 2018. The Katyusha Ransomware carries out a typical version of a standard encryption ransomware attack, making the victim's files not fit to be used by encrypting them with a strong encryption algorithm, and then it demands a ransom payment from the victim in exchange for the decryption key needed to restore the affected files. The Katyusha Ransomware is commonly delivered to victims via corrupted email attachments.

A Sweet Name for a Harmful Threat

The Katyusha Ransomware scans the victim's files in search for the user-generated files and then replaces the affected files with encrypted copies of the victim's data. The Katyusha Ransomware targets certain files, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The Katyusha Ransomware receives its name because it marks all the files encrypted by the attack with the file extension '.katyusha,' which is added to each file's name.

The Katyusha Ransomware’s Ransom Demand

The Katyusha Ransomware delivers a ransom note in the form of a text file named '_how_to_decrypt_you_files.txt,' which contains the following text:

All your documents, photos, databases, and other important personal files were encrypted!!
Please send 0.5 bitcoins to my wallet address: 3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK
If you paid, send the ID and IDKEY to my email:
I will give you the key and tool
If there is no payment within three days
we will no longer support decryption
If you exceed the payment time, your data will be open to the public download
We support decrypting the test file.
Send two small than 2 MB files to the email address:
Your ID:[redacted 8 numbers]
[random characters]
Payment site h[tt]ps://www.bithumb[.]com/
Payment site h[tt]p://www.coinone[.]com/
Payment site h[tt]ps://[.]kr/
Payment site h[tt]p://www.localbitcoins[.]com/

It is not a recommended move to contact the criminals responsible for the Katyusha Ransomware attack.

Protecting Your Data from Threats Like the Katyusha Ransomware

The best protection against threats like the Katyusha Ransomware is to have backups copies of your data. Backup copies of your data should be stored on external memory devices or the cloud, away from the reach of threats like the Katyusha Ransomware. Unfortunately, the Katyusha Ransomware damages the files in a way that they cannot be decrypted, meaning that replacing the affected files with backup copies is the best way to ensure that you can recover your data after an attack. Because threats like the Katyusha Ransomware are commonly delivered using corrupted spam email attachments, learning to recognize this content kind and dealing with it appropriately is an important part of protecting your data from these threats.


Most Viewed