Cassetto Ransomware

The Cassetto Ransomware is a file-locking Trojan that can block media, such as documents, by encrypting it and, then, labeling it with the '.cassetto' extension. Although its campaign is targeting Italian victims, the Cassetto Ransomware may lock files on PCs with other language settings indiscriminately, and there is no current decryptor available to the public. You can protect your PC by blocking this threat's installation with anti-malware tools or use such software for uninstalling the Cassetto Ransomware as soon as possible afterward.

What's Hiding in the Wrong Drawer

A file-locking Trojan without any components it shares with other, known threats like Hidden Tear, the Jigsaw Ransomware, or the RaaS-distributed, Scarab Ransomware family is attacking Italian PC owners with non-consensual encryption. Besides its use of encryption, the Cassetto Ransomware also adds new extensions onto everything that it blocks and creates a unique ransoming message, albeit in English. As is equally so with the majority of file-locking Trojans that it competes with, the Cassetto Ransomware is launching these attacks for collecting Bitcoin payments solely.

The Cassetto Ransomware, which appends its name to the files that it encrypts (meaning 'drawer' in Italian), uses an encryption method that malware experts have yet to analyze, with popular algorithm choices including AES, XOR and RSA. The encryption routine, like those of most file-locker Trojans, targets media such as Excel spreadsheets or Word documents and converts them into non-opening formats preferentially. The threat actor uses the blocking of files as leverage for extorting the ransom.

The ransoming negotiation half of the Cassetto Ransomware's payload drops a Notepad file-based message that malware experts don't see in any other, recent campaigns by similar, file-locking Trojans. Besides implying that the Cassetto Ransomware's operation is targeting business networks, the note also gives a vague estimate on the ransom demand (between one-half to twenty-five Bitcoins, or three thousand to over one hundred thousand USD) and includes a variety of blatant grammar errors.

Although the only victims with confirmation are in Italy, the Cassetto Ransomware infections have no strict geographical limits, for example, by filtering out systems with the 'wrong' language settings or IP addresses.

Shutting Italian Drawers Full of Trojans

The only victims of the Cassetto Ransomware attacks that malware analysts are verifying, for now, date from late August of 2018. While its specific infection strategies require more analysis for determining, file-locker Trojans that specialize in compromising networks are prone towards using brute-force attacks that break weak login credentials (such as default passwords or short, simple, and easily guessable ones). Some workers also may compromise their PCs after opening a disguised e-mail attachment, such as a Word document that runs a corrupted macro.

Maintaining your network security protocols can keep the Cassetto Ransomware from compromising the PC, initially, as well as limit its access to other servers and their backups. Decryption may not be possible after experiencing a Cassetto Ransomware attack, and backing up files to safe locations remains the preferable solution to infection. Anti-malware programs also may delete the Cassetto Ransomware immediately, although any threat actors who brute-force their way into a network could disable that software.

Threat actors, usually, choose their victims by maximizing their effort to profit ratio, which is why larger and populous nations experience significant file-locking Trojan traffic. However, the Cassetto Ransomware is one of many memos that being Italian, Polish, or Turkish isn't an escape from threats of this kind as long as users are lax about backing up what's theirs.