After a recent analysis of malware samples uploaded to VirusTotal, it has been determined that Cdtt belongs to the Djvu ransomware family. Its primary objective is to encrypt data, and it generates a ransom note ("_readme.txt") while appending the ".cdtt" extension to filenames (e.g., it renames "1.jpg" to "1.jpg.cdtt", "2.png" to "2.png.cdtt", etc.).
It is crucial to highlight that Djvu family variants are frequently distributed alongside information stealers such as RedLine and Vidar.
Cdtt ransom note overview
The ransom note reassures the victim, claiming that they can recover all their files, including pictures, databases, and important documents. The files have been encrypted with robust encryption and a unique key. The note asserts that the only way to restore the files is by purchasing a decrypt tool and a personalized key.
It offers a free decryption of one file as a guarantee, with the condition that the file should not contain valuable information. The price for the private key and decryption software is stated as $1999, but a 50% discount is available if contacted within the initial 72 hours, reducing the price to $999.
The note warns that data restoration is impossible without payment. To obtain the software, the victim is instructed to contact the email address support@freshingmail.top or use another email address,
Cdtt Ransomware Encryption process
The Cdtt ransomware uses the Salsa20 encryption algorithm. That is not the strongest method, but it still provides an overwhelming amount of possible decryption keys. To brute force the 78-digit number of keys, you need 3.5 unvigintillion years (1*10^65), even if you use the most powerful regular PC. Quantum computers can show a bit better results, but it is still too slow to get your files back while you are alive.
The exact algorithm of encryption is next: malware scans each folder for the files it is able to encrypt. Then, when it finds the target, it makes a copy of your file, removes the original one, encrypts the copy and leaves it instead of the removed original. Such a procedure is done to prevent the situation when you have already opened the file, so ransomware is not able to read it because of the Windows restrictions. To each encrypted copy, the virus adds the specific extension - ".cdtt". Then, ransomware creates a _readme.txt file in the folder where the encrypted file is located and goes to the next folder.
Fore more info Read : Remove Cdtt Ransomware
