Katyusha Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 7 |
| First Seen: | October 30, 2018 |
| Last Seen: | June 27, 2020 |
| OS(es) Affected: | Windows |
The Katyusha Ransomware is an encryption ransomware Trojan that was first observed in October 2018. The Katyusha Ransomware carries out a typical version of a standard encryption ransomware attack, making the victim's files not fit to be used by encrypting them with a strong encryption algorithm, and then it demands a ransom payment from the victim in exchange for the decryption key needed to restore the affected files. The Katyusha Ransomware is commonly delivered to victims via corrupted email attachments.
Table of Contents
A Sweet Name for a Harmful Threat
The Katyusha Ransomware scans the victim's files in search for the user-generated files and then replaces the affected files with encrypted copies of the victim's data. The Katyusha Ransomware targets certain files, which may include files with the following file extensions:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
The Katyusha Ransomware receives its name because it marks all the files encrypted by the attack with the file extension '.katyusha,' which is added to each file's name.
The Katyusha Ransomware’s Ransom Demand
The Katyusha Ransomware delivers a ransom note in the form of a text file named '_how_to_decrypt_you_files.txt,' which contains the following text:
'===HOW TO DECRYPT YOU FILES===
All your documents, photos, databases, and other important personal files were encrypted!!
Please send 0.5 bitcoins to my wallet address: 3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK
If you paid, send the ID and IDKEY to my email: kts2018@protonmail.com
I will give you the key and tool
If there is no payment within three days
we will no longer support decryption
If you exceed the payment time, your data will be open to the public download
We support decrypting the test file.
Send two small than 2 MB files to the email address: kts2018@protonmail.com
Your ID:[redacted 8 numbers]
Your IDKEY:
===
[random characters]
===
Payment site h[tt]ps://www.bithumb[.]com/
Payment site h[tt]p://www.coinone[.]com/
Payment site h[tt]ps://www.gopax.co[.]kr/
Payment site h[tt]p://www.localbitcoins[.]com/
Officail Mail:kts2018@protonmail.com'
It is not a recommended move to contact the criminals responsible for the Katyusha Ransomware attack.
Protecting Your Data from Threats Like the Katyusha Ransomware
The best protection against threats like the Katyusha Ransomware is to have backups copies of your data. Backup copies of your data should be stored on external memory devices or the cloud, away from the reach of threats like the Katyusha Ransomware. Unfortunately, the Katyusha Ransomware damages the files in a way that they cannot be decrypted, meaning that replacing the affected files with backup copies is the best way to ensure that you can recover your data after an attack. Because threats like the Katyusha Ransomware are commonly delivered using corrupted spam email attachments, learning to recognize this content kind and dealing with it appropriately is an important part of protecting your data from these threats.
