What is Katyusha ransomware? And how does it execute its attack?
Katyusha ransomware is another file-encrypting virus discovered recently. Just like other typical ransomware threats, this new one follows the same sequence in executing its attack. First, it drops a payload file in the system which is the one that connects the system to a C&C server. From there, it downloads its malicious components and puts them into system folders.
After the infiltration, Katyusha ransomware will begin to make some adjustment in some settings in the system. It modifies registry entries and keys as well as creates new ones in the Windows Registry which allows it to achieve persistence in its attack. It also uses data gathering module to harvest information in the system. The harvested data is then used along with some malicious components for the stealth protection module which prevents any antivirus or security programs from interfering with the attack. Once all the system changes are applied, it starts the encryption process by encrypting its targeted files and once it’s done, it appends .katyusha extension to every encrypted file and drops a file named “_how_to_decrypt_you_files.txt” which contains the following message:
“=====================================HOW TO DECRYPT YOU FILES====================================
All your documents, photos, databases and other important personal files were encrypted!!
Please send 0.5 bitcoins to my wallet address: 3ALmvAWLEothnMF5BjckAFaKB5S6zan9PK
If you paid, send the ID and IDKEY to my email: [email protected]
I will give you the key and tool
If there is no payment within three days
we will no longer support decryption
If you exceed the payment time, your data will be open to the public download
We support decrypting the test file.
Send two small than 2 MB files to the email address: [email protected]
Your ID:[redacted 8 numbers]
Your IDKEY:
================================================
[redacted 0x100 bytes in base64]
================================================
Payment site https://www.bithumb.com/
Payment site http://www.coinone.com/
Payment site https://www.gopax.co.kr/
Payment site http://www.localbitcoins.com/
Officail Mail:[email protected]”
As you can see, crooks try to lure users into paying the ransom by supposedly allowing them to restore two small encrypted files that are less than 2MB in size. However, no matter how believable the ransom note may be, you must not, in any way, reach out to these crooks and pay the 0.5 Bitocin ransom as they will only trick you in the end. It would be best if you focus on obliterating this crypto-malware from your system as well as try alternative methods in restoring your files without having to pay the ransom.
How does Katyusha ransomware proliferate?
Although the distribution of this threat is relatively low, it can still reach your computer in the form of an attachment from your email. Usually, crooks attach the malicious payload of the ransomware to spam emails. They also tend to disguise such malware-laden emails to make sure users get to open the attachment. They usually put attention-seeking subjects like receipt, invoice, bank statement and so on. Thus, you need to double check emails first before you open them to avoid crypt-malware threats like Katyusha ransomware.
Follow the removal guide given below to kill Katyusha ransomware.
Step 1: Tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step 2: Go to the Processes tab and look for the malicious processes of Katyusha ransomware and then right click on it and select End Process or End Task.

 
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in “appwiz.cpl” and then click OK or press Enter.
Step 4: Look for dubious programs that might by related to Katyusha ransomware and then Uninstall it/them.

 
Step 5: Close Control Panel and then tap Win + E to launch File Explorer.
Step 6: After opening File Explorer, navigate to the following directories below and look for Katyusha ransomware’s malicious components such as _how_to_decrypt_you_files.txt, [random].exe and other suspicious-looking files and then erase them all.

• %TEMP%
• %APPDATA%
• %DESKTOP%
• %USERPROFILE%\Downloads
• C:\ProgramData\local\

Step 7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.

Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by Katyusha ransomware.

• HKEY_CURRENT_USER\Control Panel\Desktop\
• HKEY_USERS\.DEFAULT\Control Panel\Desktop\
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Step 10: Delete the registry keys and sub-keys created by Katyusha ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
Try to recover your encrypted files using their Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Katyusha ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.

Once you’re done executing the steps given above, you need to continue the removal process of Katyusha ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.

1. Turn on your computer. If it’s already on, you have to reboot it.
2. After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
3. 
   3. To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
   4. Windows will now load the Safe Mode with Networking.
   5. Press and hold both R key and Windows key.

   

   6. If done correctly, the Windows Run Box will show up.
   7. Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
   8. After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
   9. Once the installation process is completed, run [product-code] to perform a full system scan.

   

   10. After the scan is completed click the “Fix, Clean & Optimize Now” button.