CashCat Ransomware

The CashCat Ransomware is a Trojan that imitates file-locking attacks against your media. Although it lacks any data-encrypting, archiving or corrupting behavior currently, its authors may add such features into future releases. Users should treat this Trojan as a possible danger to their local files and have an appropriate anti-malware product uninstall the CashCat Ransomware, or block its attempted installation.

Imitation as Flattery Towards a Two-Year-Old Trojan

The '.locky File Extension' Ransomware is a periodic target for imitation by unrelated Trojans, including the old Locky Locker Ransomware and the much newer the CashCat Ransomware. Since all of these threats exhibit similar behavior in their payloads symptomatically, the victims could assume that the file-locking routine is more secure than it is, or make other mistakes regarding the disinfection and data recovery process. As usual, even a low-level threat like the CashCat Ransomware can benefit from confusing its victims with aesthetic sleight-of-hand.

Unlike most of the similar Trojans that malware researchers examine, the CashCat Ransomware has no real encryption functionality built into its payload, for now. This absence causes most security products to either fail to detect it or to do so heuristically, as a generic threat. However, the CashCat Ransomware does add the '.locky' extensions to the names of various media files, such as pictures, music, and text documents, which may trick the users into thinking that their work is unusable.

While the CashCat Ransomware is, currently, no more than an inconvenience or 'prank' program, its threat actors could update it with more attack features than it possesses as of December 4th. Malware experts outline the most likely of them as follows:

• Non-consensual encryption can keep your files from opening, and may or may not be reversible with a custom decryption program. Most file-locker Trojans run this attack as an invisible background process.
• The CashCat Ransomware may delete your local backups for stopping you from recovering your media, with the Windows ShadowVolume Copies or the System Restore points being at high risk.
• The CashCat Ransomware may display ransoming messages with its demands for the decryptor through a hijacked desktop wallpaper, text note or pop-up.

Putting Bad Cats Down

The CashCat Ransomware is nothing more than a superficial imitation of the '.locky File Extension' Ransomware and has none of the various features that malware analysts are expecting from a 'serious' campaign of locking files for future extortion. This 'simulated' file-locker Trojan's installer is a small Windows executable of half a megabyte, and its samples offer no evidence of how it might circulate. Criminals, frequently, favor introducing file-locker Trojans after brute-forcing a server, attaching them to spam e-mails or uploading them to torrents.

Some of the security steps all users should engage in for counteracting threats with symptoms similar to those of the CashCat Ransomware's attacks include disabling 'risky' features like macros or JavaScript, updating their admin account passwords, and scanning their e-mail attachments before opening them. Only a few anti-malware programs are detecting the CashCat Ransomware, and most do so heuristically without an individualized database entry. Always update your security software for enhancing their accuracy and effectiveness frequently and use them for uninstalling the CashCat Ransomware as appropriate.

Even though the CashCat Ransomware isn't very threatening, in its current state, such status quos can change in weeks or even days. Any Windows users hoping that all the threats targeting their files will remain as neutered as the current samples of the CashCat Ransomware may find themselves in the uncomfortable position of losing a computer's – or server's – worth of content.