A new cat-themed ransomware found to be targeting Android users has been uncovered. The hackers behind the ransomware use a seemingly innocent and cute image of a cat, which appears when an infected device has been remotely locked. The ransomware is also capable of allowing hackers to steal SMS messages, encrypt victims' files and block access to the phones.
Dubbed El Gato by McAfee Labs security researchers, the ransomware was also discovered to have botnet capabilities and runs on a "legitimate cloud service provider". Besides, the ransomware operates on a web-based control panel, which allows hackers to remotely send commands to the infected devices. The ransomware is designed to periodically check for new commands from the C&C (command and control) server, which are sent in clear HTTP format, without any encryption.
"This ransomware variant looks like a demo version used to commercialise malware kits for cybercriminals because the control server interface is not protected and includes in the code words such as 'MyDificultPassw'. These kinds of threats are usually distributed by attackers who buy exploit kits on black markets and who want to attack a specific company or group of people. The attackers often use phishing campaigns, Trojanised apps, social media networks, or other social engineering techniques," said McAfee Labs security expert Fernando Ruiz.
No ransom note or demand
The current version of the El Gato ransomware does not come with a ransom note, nor does it make any demands for money. Instead, the ransomware simply displays a picture of an adorable cat when the infected device's screen has been locked. Thus the name El Gato, which roughly translated means "cat" in Spanish.
The authors of the ransomware can steal, forward and delete all SMS messages, send a message from an infected device and encrypt files stored on the SD card. However, it can be decrypted, using a decryption code in the ransomware, which was likely included to allow hackers to decrypt files upon payment of ransom.
"The application code contains a method to decrypt the affected files; thus this ransomware app can be forced to decrypt files if one invokes the appropriate method," Ruiz added.
Given the analysis of the El Gato ransomware appearing as a demo version used to market exploit kits on the dark web and since the ransowmare currently comes with no ransom note or demands, it is likely that El Gato may be still in the development mode.